From e7dd8b5f7811d8c1455a9202e897c6a6f22fade4 Mon Sep 17 00:00:00 2001 From: Andrew Ellison Date: Tue, 26 Sep 2023 13:11:53 -0500 Subject: [PATCH 1/7] Add docs for multi repo pipelines --- .../pipelines/multi-account/index.md | 39 +++++++++++++++++- docs/pipelines/multi-account/index.md | 41 +++++++++++++++++-- sidebars/pipelines.js | 5 +++ 3 files changed, 80 insertions(+), 5 deletions(-) diff --git a/_docs-sources/pipelines/multi-account/index.md b/_docs-sources/pipelines/multi-account/index.md index 79843536f..5fd47edfa 100644 --- a/_docs-sources/pipelines/multi-account/index.md +++ b/_docs-sources/pipelines/multi-account/index.md @@ -1,3 +1,38 @@ -# Deploying Multi-Account Pipelines +# Multiple Infrastructure Repos - +We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. +Sometimes, this isn't possible due to team structure, security requirements, or other limitations. +In order to accommodate multiple infrastructure repositories, Gruntwork Pipelines is configurable. + +## Create Additional Repos + +New `infrrastructure-live` repositories can be created using the same process described in the +[Hello World](../hello-world#setting-up-the-repositories) documentation. + +:::info +Once the repo is created, you'll need to set up machine user access using either the existing machine user and `PIPELINES_DISPATCH` PAT token, +or one created specifically for this purpose. See [Machine Users](../using-pipelines/machine-users) for more information. +::: + +No special configuration is required for the new `infrastructure-live` repository, +the Pipelines Dispatch job will identify the source repository and pass that information +to the shared `infrastructure-pipelines` repository. + +## Enable Additional Repos + +To ensure no unauthorized access is granted to your `infrastructure-pipelines` repository, +an allowlist of `infrastructure-live` repositories exists at the root directory. +To allow resources to be deployed by your new repository, +add the repository to `repo-allowlist.txt` on a new line. + +The new resource should match the name of your repository **exactly** in the format +`github-org/infrastructure-live-repo-name` with a single repository per line. See the example file below: + +```txt title=infrastructure-pipelines/repo-allowlist.txt +acme/team-1-infrastructure-live +acme/team-2-infrastructure-live +``` + +:::info +The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` repository must have content read & write access to all repositories in the allowlist. +::: diff --git a/docs/pipelines/multi-account/index.md b/docs/pipelines/multi-account/index.md index 16251659f..714e6b86f 100644 --- a/docs/pipelines/multi-account/index.md +++ b/docs/pipelines/multi-account/index.md @@ -1,11 +1,46 @@ -# Deploying Multi-Account Pipelines +# Multiple Infrastructure Repos - +We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. +Sometimes, this isn't possible due to team structure, security requirements, or other limitations. +In order to accommodate multiple infrastructure repositories, Gruntwork Pipelines is configurable. + +## Create Additional Repos + +New `infrrastructure-live` repositories can be created using the same process described in the +[Hello World](../hello-world#setting-up-the-repositories) documentation. + +:::info +Once the repo is created, you'll need to set up machine user access using either the existing machine user and `PIPELINES_DISPATCH` PAT token, +or one created specifically for this purpose. See [Machine Users](../using-pipelines/machine-users) for more information. +::: + +No special configuration is required for the new `infrastructure-live` repository, +the Pipelines Dispatch job will identify the source repository and pass that information +to the shared `infrastructure-pipelines` repository. + +## Enable Additional Repos + +To ensure no unauthorized access is granted to your `infrastructure-pipelines` repository, +an allowlist of `infrastructure-live` repositories exists at the root directory. +To allow resources to be deployed by your new repository, +add the repository to `repo-allowlist.txt` on a new line. + +The new resource should match the name of your repository **exactly** in the format +`github-org/infrastructure-live-repo-name` with a single repository per line. See the example file below: + +```txt title=infrastructure-pipelines/repo-allowlist.txt +acme/team-1-infrastructure-live +acme/team-2-infrastructure-live +``` + +:::info +The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` repository must have content read & write access to all repositories in the allowlist. +::: diff --git a/sidebars/pipelines.js b/sidebars/pipelines.js index 113153963..ca2046162 100644 --- a/sidebars/pipelines.js +++ b/sidebars/pipelines.js @@ -56,6 +56,11 @@ const sidebar = [ type: "doc", id: "pipelines/using-pipelines/index", }, + { + label: "Multiple Infrastructure Repos", + type: "doc", + id: "pipelines/multi-account/index", + }, ], }, { From b47aa8a6dcac1c0fb6c42f8308197a967bb05501 Mon Sep 17 00:00:00 2001 From: Andrew Ellison Date: Tue, 26 Sep 2023 15:13:53 -0500 Subject: [PATCH 2/7] Fix typos --- _docs-sources/pipelines/multi-account/index.md | 4 ++-- docs/pipelines/multi-account/index.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/_docs-sources/pipelines/multi-account/index.md b/_docs-sources/pipelines/multi-account/index.md index 5fd47edfa..a17b45260 100644 --- a/_docs-sources/pipelines/multi-account/index.md +++ b/_docs-sources/pipelines/multi-account/index.md @@ -6,7 +6,7 @@ In order to accommodate multiple infrastructure repositories, Gruntwork Pipeline ## Create Additional Repos -New `infrrastructure-live` repositories can be created using the same process described in the +New `infrastructure-live` repositories can be created using the same process described in the [Hello World](../hello-world#setting-up-the-repositories) documentation. :::info @@ -21,7 +21,7 @@ to the shared `infrastructure-pipelines` repository. ## Enable Additional Repos To ensure no unauthorized access is granted to your `infrastructure-pipelines` repository, -an allowlist of `infrastructure-live` repositories exists at the root directory. +an allowlist of `infrastructure-live` repositories exists at the root directory of the `infrastructure-pipelines` repository. To allow resources to be deployed by your new repository, add the repository to `repo-allowlist.txt` on a new line. diff --git a/docs/pipelines/multi-account/index.md b/docs/pipelines/multi-account/index.md index 714e6b86f..35921d2c2 100644 --- a/docs/pipelines/multi-account/index.md +++ b/docs/pipelines/multi-account/index.md @@ -6,7 +6,7 @@ In order to accommodate multiple infrastructure repositories, Gruntwork Pipeline ## Create Additional Repos -New `infrrastructure-live` repositories can be created using the same process described in the +New `infrastructure-live` repositories can be created using the same process described in the [Hello World](../hello-world#setting-up-the-repositories) documentation. :::info @@ -21,7 +21,7 @@ to the shared `infrastructure-pipelines` repository. ## Enable Additional Repos To ensure no unauthorized access is granted to your `infrastructure-pipelines` repository, -an allowlist of `infrastructure-live` repositories exists at the root directory. +an allowlist of `infrastructure-live` repositories exists at the root directory of the `infrastructure-pipelines` repository. To allow resources to be deployed by your new repository, add the repository to `repo-allowlist.txt` on a new line. @@ -41,6 +41,6 @@ The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` reposi From b397c5fda28b22a5927f2e50001f18375aa6d570 Mon Sep 17 00:00:00 2001 From: Andrew Ellison Date: Wed, 27 Sep 2023 08:12:39 -0500 Subject: [PATCH 3/7] rename section --- _docs-sources/pipelines/multi-account/index.md | 2 +- docs/pipelines/multi-account/index.md | 4 ++-- sidebars/pipelines.js | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/_docs-sources/pipelines/multi-account/index.md b/_docs-sources/pipelines/multi-account/index.md index a17b45260..147fa778f 100644 --- a/_docs-sources/pipelines/multi-account/index.md +++ b/_docs-sources/pipelines/multi-account/index.md @@ -1,4 +1,4 @@ -# Multiple Infrastructure Repos +# Multiple Infrastructure-Live Repos We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. Sometimes, this isn't possible due to team structure, security requirements, or other limitations. diff --git a/docs/pipelines/multi-account/index.md b/docs/pipelines/multi-account/index.md index 35921d2c2..1a8d2c3fa 100644 --- a/docs/pipelines/multi-account/index.md +++ b/docs/pipelines/multi-account/index.md @@ -1,4 +1,4 @@ -# Multiple Infrastructure Repos +# Multiple Infrastructure-Live Repos We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. Sometimes, this isn't possible due to team structure, security requirements, or other limitations. @@ -41,6 +41,6 @@ The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` reposi diff --git a/sidebars/pipelines.js b/sidebars/pipelines.js index ca2046162..825ef4147 100644 --- a/sidebars/pipelines.js +++ b/sidebars/pipelines.js @@ -57,7 +57,7 @@ const sidebar = [ id: "pipelines/using-pipelines/index", }, { - label: "Multiple Infrastructure Repos", + label: "Multiple Infrastructure-Live Repos", type: "doc", id: "pipelines/multi-account/index", }, From fd2fcde8ada43ca1219b79e0573b6d247b3c979b Mon Sep 17 00:00:00 2001 From: Andrew Ellison Date: Thu, 28 Sep 2023 10:09:20 -0500 Subject: [PATCH 4/7] address PR comments --- .../hello-world/github-enterprise.md | 10 +++++++ _docs-sources/pipelines/hello-world/index.md | 2 +- _docs-sources/pipelines/security/controls.md | 2 +- .../machine-users.md | 0 .../pipelines/security/multi-account.md | 26 +++++++++---------- .../pipelines/security/using-pipelines.md | 21 +-------------- .../hello-world/github-enterprise.md | 18 +++++++++++++ docs/pipelines/hello-world/index.md | 4 +-- docs/pipelines/security/controls.md | 4 +-- .../machine-users.md | 0 .../pipelines/security/multi-account.md | 26 +++++++++++++++---- .../pipelines/security/using-pipelines.md | 17 +++++------- sidebars/pipelines.js | 24 ++++++++--------- 13 files changed, 88 insertions(+), 66 deletions(-) create mode 100644 _docs-sources/pipelines/hello-world/github-enterprise.md rename _docs-sources/pipelines/{using-pipelines => security}/machine-users.md (100%) rename docs/pipelines/multi-account/index.md => _docs-sources/pipelines/security/multi-account.md (68%) rename docs/pipelines/using-pipelines/index.md => _docs-sources/pipelines/security/using-pipelines.md (73%) create mode 100644 docs/pipelines/hello-world/github-enterprise.md rename docs/pipelines/{using-pipelines => security}/machine-users.md (100%) rename _docs-sources/pipelines/multi-account/index.md => docs/pipelines/security/multi-account.md (64%) rename _docs-sources/pipelines/using-pipelines/index.md => docs/pipelines/security/using-pipelines.md (75%) diff --git a/_docs-sources/pipelines/hello-world/github-enterprise.md b/_docs-sources/pipelines/hello-world/github-enterprise.md new file mode 100644 index 000000000..fab764dd3 --- /dev/null +++ b/_docs-sources/pipelines/hello-world/github-enterprise.md @@ -0,0 +1,10 @@ +# GitHub Enterprise + +Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions. Companies using GitHub Enterprise may need to explicitly allow Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. + +You will need to allow the following Actions to run: +- [pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) +- [pipelines-orchestrate](https://github.com/gruntwork-io/pipelines-orchestrate) +- [pipelines-execute](https://github.com/gruntwork-io/pipelines-execute) + +Navigate to each repository to retrieve the latest tagged release for each action. diff --git a/_docs-sources/pipelines/hello-world/index.md b/_docs-sources/pipelines/hello-world/index.md index e94bdcbf2..545f036e7 100644 --- a/_docs-sources/pipelines/hello-world/index.md +++ b/_docs-sources/pipelines/hello-world/index.md @@ -67,7 +67,7 @@ First, navigate to the `infrastructure-live` repository. Select the `Settings` t Next, Navigate to the `infrastructure-pipelines` repository. Select the `Settings` tab, select the `Secrets and variables` drop down on the left side panel, then select `Actions`. Create two secrets named `INFRA_LIVE_ACCESS_TOKEN` and `GRUNTWORK_CODE_ACCESS_TOKEN`. Use your GitHub PAT as the value for both secrets. :::warning -Using a single token with broad access is sufficient for a POC or demo environments. In a production environment, we recommend using a mix of fine-grained and classic PATs to apply the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to all tokens used in Pipelines workflows. See [machine users](../using-pipelines/machine-users.md) for more information. +Using a single token with broad access is sufficient for a POC or demo environments. In a production environment, we recommend using a mix of fine-grained and classic PATs to apply the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to all tokens used in Pipelines workflows. See [machine users](../security/machine-users.md) for more information. ::: ## Generating code diff --git a/_docs-sources/pipelines/security/controls.md b/_docs-sources/pipelines/security/controls.md index a0cb28aee..cced53d6c 100644 --- a/_docs-sources/pipelines/security/controls.md +++ b/_docs-sources/pipelines/security/controls.md @@ -20,7 +20,7 @@ Gruntwork Pipelines uses a series of GitHub Personal Access Tokens (PAT) to allo - `INFRA_LIVE_ACCESS_TOKEN` - A [fine-grained PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) that has read and write access to your `infrastructure-live` repository. This token is used in Pipelines to create pull requests after code generation and add pull request comments. - `PIPELINES_DISPATCH_TOKEN` - A fine-grained PAT that can run Workflows in your `infrastructure-pipelines` repository. -Steps to create a PAT can be found in the official documentation. Refer to [creating a personal access token classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) and [creating a fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token), respectively. We recommend using [machine users](../using-pipelines/machine-users.md) for this use case. +Steps to create a PAT can be found in the official documentation. Refer to [creating a personal access token classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) and [creating a fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token), respectively. We recommend using [machine users](../security/machine-users.md) for this use case. To learn more about GitHub PATs, refer to their documentation on [managing personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens). diff --git a/_docs-sources/pipelines/using-pipelines/machine-users.md b/_docs-sources/pipelines/security/machine-users.md similarity index 100% rename from _docs-sources/pipelines/using-pipelines/machine-users.md rename to _docs-sources/pipelines/security/machine-users.md diff --git a/docs/pipelines/multi-account/index.md b/_docs-sources/pipelines/security/multi-account.md similarity index 68% rename from docs/pipelines/multi-account/index.md rename to _docs-sources/pipelines/security/multi-account.md index 1a8d2c3fa..db68ca145 100644 --- a/docs/pipelines/multi-account/index.md +++ b/_docs-sources/pipelines/security/multi-account.md @@ -20,27 +20,27 @@ to the shared `infrastructure-pipelines` repository. ## Enable Additional Repos +:::warning +Once a repo is enabled for pipelines, any code pushed to the `main` branch of that repo will be eligible to access your +AWS account using OIDC. Ensure you have the [recommended settings](../using-pipelines) for branch protection configured before adding the new +repository to the allowlist. +::: + To ensure no unauthorized access is granted to your `infrastructure-pipelines` repository, -an allowlist of `infrastructure-live` repositories exists at the root directory of the `infrastructure-pipelines` repository. +an allowlist of `infrastructure-live` repositories exists in the `.gruntwork/config.yml` file in the `infrastructure-pipelines` repository. To allow resources to be deployed by your new repository, -add the repository to `repo-allowlist.txt` on a new line. +add the repository to the `repo-allow-list` section of `.gruntwork/config.yml`. The new resource should match the name of your repository **exactly** in the format `github-org/infrastructure-live-repo-name` with a single repository per line. See the example file below: -```txt title=infrastructure-pipelines/repo-allowlist.txt -acme/team-1-infrastructure-live -acme/team-2-infrastructure-live +```txt title=infrastructure-pipelines/.gruntwork/config.yml +# The git repos that have permissions to invoke Pipelines jobs +- repo-allowlist: + - acme/team-1-infrastructure-live + - acme/team-2-infrastructure-live ``` :::info The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` repository must have content read & write access to all repositories in the allowlist. ::: - - - diff --git a/docs/pipelines/using-pipelines/index.md b/_docs-sources/pipelines/security/using-pipelines.md similarity index 73% rename from docs/pipelines/using-pipelines/index.md rename to _docs-sources/pipelines/security/using-pipelines.md index faad02d2c..d53f78195 100644 --- a/docs/pipelines/using-pipelines/index.md +++ b/_docs-sources/pipelines/security/using-pipelines.md @@ -1,4 +1,4 @@ -# Using Pipelines +# Using Pipelines in Production Gruntwork Pipelines is designed to be used with a PR based workflow. This means an approval on a PR is an approval to deploy infrastructure, making the configuration of repo settings and branch protection especially important. @@ -43,22 +43,3 @@ The following is an example of the recommended settings for branch protection: 1. Gruntwork Pipelines runs `apply` on any changes from the PR - On Success, a comment is placed on the PR indicating success - On Failure, a new GitHub issue is created describing the failure. A new PR must be created to resolve any failures. - -## GitHub Enterprise Users - -Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions. Companies using GitHub Enterprise may need to explicitly allow Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. - -You will need to allow the following Actions to run: -- [pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) -- [pipelines-orchestrate](https://github.com/gruntwork-io/pipelines-orchestrate) -- [pipelines-execute](https://github.com/gruntwork-io/pipelines-execute) - -Navigate to each repository to retrieve the latest tagged release for each action. - - - diff --git a/docs/pipelines/hello-world/github-enterprise.md b/docs/pipelines/hello-world/github-enterprise.md new file mode 100644 index 000000000..94c0bc7f7 --- /dev/null +++ b/docs/pipelines/hello-world/github-enterprise.md @@ -0,0 +1,18 @@ +# GitHub Enterprise + +Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions. Companies using GitHub Enterprise may need to explicitly allow Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. + +You will need to allow the following Actions to run: +- [pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) +- [pipelines-orchestrate](https://github.com/gruntwork-io/pipelines-orchestrate) +- [pipelines-execute](https://github.com/gruntwork-io/pipelines-execute) + +Navigate to each repository to retrieve the latest tagged release for each action. + + + diff --git a/docs/pipelines/hello-world/index.md b/docs/pipelines/hello-world/index.md index ce87fba28..dfaa732fd 100644 --- a/docs/pipelines/hello-world/index.md +++ b/docs/pipelines/hello-world/index.md @@ -67,7 +67,7 @@ First, navigate to the `infrastructure-live` repository. Select the `Settings` t Next, Navigate to the `infrastructure-pipelines` repository. Select the `Settings` tab, select the `Secrets and variables` drop down on the left side panel, then select `Actions`. Create two secrets named `INFRA_LIVE_ACCESS_TOKEN` and `GRUNTWORK_CODE_ACCESS_TOKEN`. Use your GitHub PAT as the value for both secrets. :::warning -Using a single token with broad access is sufficient for a POC or demo environments. In a production environment, we recommend using a mix of fine-grained and classic PATs to apply the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to all tokens used in Pipelines workflows. See [machine users](../using-pipelines/machine-users.md) for more information. +Using a single token with broad access is sufficient for a POC or demo environments. In a production environment, we recommend using a mix of fine-grained and classic PATs to apply the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to all tokens used in Pipelines workflows. See [machine users](../security/machine-users.md) for more information. ::: ## Generating code @@ -200,6 +200,6 @@ If you are not going to continue using Pipelines after this tutorial, clean up t diff --git a/docs/pipelines/security/controls.md b/docs/pipelines/security/controls.md index 7151b3390..5a6fda4b5 100644 --- a/docs/pipelines/security/controls.md +++ b/docs/pipelines/security/controls.md @@ -20,7 +20,7 @@ Gruntwork Pipelines uses a series of GitHub Personal Access Tokens (PAT) to allo - `INFRA_LIVE_ACCESS_TOKEN` - A [fine-grained PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) that has read and write access to your `infrastructure-live` repository. This token is used in Pipelines to create pull requests after code generation and add pull request comments. - `PIPELINES_DISPATCH_TOKEN` - A fine-grained PAT that can run Workflows in your `infrastructure-pipelines` repository. -Steps to create a PAT can be found in the official documentation. Refer to [creating a personal access token classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) and [creating a fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token), respectively. We recommend using [machine users](../using-pipelines/machine-users.md) for this use case. +Steps to create a PAT can be found in the official documentation. Refer to [creating a personal access token classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) and [creating a fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token), respectively. We recommend using [machine users](../security/machine-users.md) for this use case. To learn more about GitHub PATs, refer to their documentation on [managing personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens). @@ -75,6 +75,6 @@ As highlighted in [dual-repository approach](#dual-repository-approach), because diff --git a/docs/pipelines/using-pipelines/machine-users.md b/docs/pipelines/security/machine-users.md similarity index 100% rename from docs/pipelines/using-pipelines/machine-users.md rename to docs/pipelines/security/machine-users.md diff --git a/_docs-sources/pipelines/multi-account/index.md b/docs/pipelines/security/multi-account.md similarity index 64% rename from _docs-sources/pipelines/multi-account/index.md rename to docs/pipelines/security/multi-account.md index 147fa778f..17396d649 100644 --- a/_docs-sources/pipelines/multi-account/index.md +++ b/docs/pipelines/security/multi-account.md @@ -20,19 +20,35 @@ to the shared `infrastructure-pipelines` repository. ## Enable Additional Repos +:::warning +Once a repo is enabled for pipelines, any code pushed to the `main` branch of that repo will be eligible to access your +AWS account using OIDC. Ensure you have the [recommended settings](../using-pipelines) for branch protection configured before adding the new +repository to the allowlist. +::: + To ensure no unauthorized access is granted to your `infrastructure-pipelines` repository, -an allowlist of `infrastructure-live` repositories exists at the root directory of the `infrastructure-pipelines` repository. +an allowlist of `infrastructure-live` repositories exists in the `.gruntwork/config.yml` file in the `infrastructure-pipelines` repository. To allow resources to be deployed by your new repository, -add the repository to `repo-allowlist.txt` on a new line. +add the repository to the `repo-allow-list` section of `.gruntwork/config.yml`. The new resource should match the name of your repository **exactly** in the format `github-org/infrastructure-live-repo-name` with a single repository per line. See the example file below: -```txt title=infrastructure-pipelines/repo-allowlist.txt -acme/team-1-infrastructure-live -acme/team-2-infrastructure-live +```txt title=infrastructure-pipelines/.gruntwork/config.yml +# The git repos that have permissions to invoke Pipelines jobs +- repo-allowlist: + - acme/team-1-infrastructure-live + - acme/team-2-infrastructure-live ``` :::info The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` repository must have content read & write access to all repositories in the allowlist. ::: + + + diff --git a/_docs-sources/pipelines/using-pipelines/index.md b/docs/pipelines/security/using-pipelines.md similarity index 75% rename from _docs-sources/pipelines/using-pipelines/index.md rename to docs/pipelines/security/using-pipelines.md index e72963239..827e3619a 100644 --- a/_docs-sources/pipelines/using-pipelines/index.md +++ b/docs/pipelines/security/using-pipelines.md @@ -1,4 +1,4 @@ -# Using Pipelines +# Using Pipelines in Production Gruntwork Pipelines is designed to be used with a PR based workflow. This means an approval on a PR is an approval to deploy infrastructure, making the configuration of repo settings and branch protection especially important. @@ -44,13 +44,10 @@ The following is an example of the recommended settings for branch protection: - On Success, a comment is placed on the PR indicating success - On Failure, a new GitHub issue is created describing the failure. A new PR must be created to resolve any failures. -## GitHub Enterprise Users -Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions. Companies using GitHub Enterprise may need to explicitly allow Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. - -You will need to allow the following Actions to run: -- [pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) -- [pipelines-orchestrate](https://github.com/gruntwork-io/pipelines-orchestrate) -- [pipelines-execute](https://github.com/gruntwork-io/pipelines-execute) - -Navigate to each repository to retrieve the latest tagged release for each action. + diff --git a/sidebars/pipelines.js b/sidebars/pipelines.js index 825ef4147..caf089f80 100644 --- a/sidebars/pipelines.js +++ b/sidebars/pipelines.js @@ -47,19 +47,9 @@ const sidebar = [ id: "pipelines/hello-world/index", }, { - label: "Machine Users", + label: "GitHub Enterprise", type: "doc", - id: "pipelines/using-pipelines/machine-users", - }, - { - label: "Using Pipelines", - type: "doc", - id: "pipelines/using-pipelines/index", - }, - { - label: "Multiple Infrastructure-Live Repos", - type: "doc", - id: "pipelines/multi-account/index", + id: "pipelines/hello-world/github-enterprise", }, ], }, @@ -78,6 +68,16 @@ const sidebar = [ type: "doc", id: "pipelines/security/repository-access", }, + { + label: "Using Pipelines in Production", + type: "doc", + id: "pipelines/security/using-pipelines", + }, + { + label: "Multiple Infrastructure-Live Repos", + type: "doc", + id: "pipelines/security/multi-account", + }, ] }, // TODO write these docs once we identify common cases From b71d6a002c0933b86d1a91944bed4006e894707f Mon Sep 17 00:00:00 2001 From: Andrew Ellison Date: Thu, 28 Sep 2023 13:36:14 -0500 Subject: [PATCH 5/7] Add detail on when multi-repo might be useful --- _docs-sources/pipelines/security/multi-account.md | 8 ++++++++ docs/pipelines/security/multi-account.md | 10 +++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/_docs-sources/pipelines/security/multi-account.md b/_docs-sources/pipelines/security/multi-account.md index db68ca145..c9dab376e 100644 --- a/_docs-sources/pipelines/security/multi-account.md +++ b/_docs-sources/pipelines/security/multi-account.md @@ -2,6 +2,14 @@ We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. Sometimes, this isn't possible due to team structure, security requirements, or other limitations. +You may choose to use multiple repos to: + +1. Facilitate more granular access controls +1. Separate concerns that do not require shared configuration +1. Ease the burden of high traffic repos (reducing the likelihood of feature branches becoming out-of-date relative to `main`) + +However, when using multiple repos it is more difficult to share configuration across environments so think carefully about +your specific use case before making the decision. In order to accommodate multiple infrastructure repositories, Gruntwork Pipelines is configurable. ## Create Additional Repos diff --git a/docs/pipelines/security/multi-account.md b/docs/pipelines/security/multi-account.md index 17396d649..4fa4ee388 100644 --- a/docs/pipelines/security/multi-account.md +++ b/docs/pipelines/security/multi-account.md @@ -2,6 +2,14 @@ We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. Sometimes, this isn't possible due to team structure, security requirements, or other limitations. +You may choose to use multiple repos to: + +1. Facilitate more granular access controls +1. Separate concerns that do not require shared configuration +1. Ease the burden of high traffic repos (reducing the likelihood of feature branches becoming out-of-date relative to `main`) + +However, when using multiple repos it is more difficult to share configuration across environments so think carefully about +your specific use case before making the decision. In order to accommodate multiple infrastructure repositories, Gruntwork Pipelines is configurable. ## Create Additional Repos @@ -49,6 +57,6 @@ The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` reposi From b659c630769e2af2f0ac0fc55c16944a38865c2f Mon Sep 17 00:00:00 2001 From: Andrew Ellison Date: Thu, 28 Sep 2023 15:31:06 -0500 Subject: [PATCH 6/7] more pr comments --- .../hello-world/github-enterprise.md | 2 +- _docs-sources/pipelines/hello-world/index.md | 2 +- ...sing-pipelines.md => branch-protection.md} | 2 +- _docs-sources/pipelines/security/controls.md | 2 +- .../pipelines/security/multi-account.md | 18 ++++++++--------- .../hello-world/github-enterprise.md | 4 ++-- docs/pipelines/hello-world/index.md | 4 ++-- ...sing-pipelines.md => branch-protection.md} | 4 ++-- docs/pipelines/security/controls.md | 4 ++-- docs/pipelines/security/multi-account.md | 20 +++++++++---------- sidebars/pipelines.js | 4 ++-- 11 files changed, 33 insertions(+), 33 deletions(-) rename _docs-sources/pipelines/security/{using-pipelines.md => branch-protection.md} (98%) rename docs/pipelines/security/{using-pipelines.md => branch-protection.md} (97%) diff --git a/_docs-sources/pipelines/hello-world/github-enterprise.md b/_docs-sources/pipelines/hello-world/github-enterprise.md index fab764dd3..ac8e198cc 100644 --- a/_docs-sources/pipelines/hello-world/github-enterprise.md +++ b/_docs-sources/pipelines/hello-world/github-enterprise.md @@ -1,6 +1,6 @@ # GitHub Enterprise -Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions. Companies using GitHub Enterprise may need to explicitly allow Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. +Gruntwork Pipelines includes a set of re-usable GitHub Actions built by Gruntwork. Companies using GitHub Enterprise may need to explicitly allow GitHub Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. You will need to allow the following Actions to run: - [pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) diff --git a/_docs-sources/pipelines/hello-world/index.md b/_docs-sources/pipelines/hello-world/index.md index 545f036e7..a7c6846d3 100644 --- a/_docs-sources/pipelines/hello-world/index.md +++ b/_docs-sources/pipelines/hello-world/index.md @@ -55,7 +55,7 @@ For a simple proof of concept, the default repo configuration will suffice. Before using these repositories in a production environment, we recommend setting up a [branch protection rule](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) for your `main` branch. At a minimum, we recommend enabling requiring a pull request before merging with at least one reviewer required. -See [Using Pipelines](/pipelines/using-pipelines#recommended-settings) for recommended settings. +See [Using Pipelines](../security/branch-protection#recommended-settings) for recommended settings. ::: ### Setting up secrets diff --git a/_docs-sources/pipelines/security/using-pipelines.md b/_docs-sources/pipelines/security/branch-protection.md similarity index 98% rename from _docs-sources/pipelines/security/using-pipelines.md rename to _docs-sources/pipelines/security/branch-protection.md index d53f78195..30885a3f1 100644 --- a/_docs-sources/pipelines/security/using-pipelines.md +++ b/_docs-sources/pipelines/security/branch-protection.md @@ -1,4 +1,4 @@ -# Using Pipelines in Production +# Branch Protection Gruntwork Pipelines is designed to be used with a PR based workflow. This means an approval on a PR is an approval to deploy infrastructure, making the configuration of repo settings and branch protection especially important. diff --git a/_docs-sources/pipelines/security/controls.md b/_docs-sources/pipelines/security/controls.md index cced53d6c..9809f412a 100644 --- a/_docs-sources/pipelines/security/controls.md +++ b/_docs-sources/pipelines/security/controls.md @@ -4,7 +4,7 @@ Pipelines takes a defense in depth approach to securing workflows. This document ## Dual-repository approach -Pipelines dual-repository approach separates infrastructure definitions from infrastructure deployment mechanisms. Pipelines requires two repositories —`infrastructure-pipelines`, where deployment workflows are defined and `infrastructure-live`, where infrastructure is defined as code. Each repository should have branch protection rules to prevent un-reviewed code from being deployed. Refer to [Recommended Settings](../using-pipelines#recommended-settings) in [using pipelines](../using-pipelines) to learn more. +Pipelines dual-repository approach separates infrastructure definitions from infrastructure deployment mechanisms. Pipelines requires two repositories —`infrastructure-pipelines`, where deployment workflows are defined and `infrastructure-live`, where infrastructure is defined as code. Each repository should have branch protection rules to prevent un-reviewed code from being deployed. Refer to [Recommended Settings](branch-protection#recommended-settings) in [Branch Protection](branch-protection) to learn more. To control access to these repositories we recommend creating GitHub teams. Write access to the `infrastructure-pipelines` repository should be limited to individuals that already have administrative access to your AWS accounts (see [accessing AWS resources](#accessing-aws-resources)). Read and write access to the `infrastructure-live` repository should be granted to any individual who needs to define infrastructure as code. See [repository access](repository-access.md) for more details. diff --git a/_docs-sources/pipelines/security/multi-account.md b/_docs-sources/pipelines/security/multi-account.md index c9dab376e..88eb3a856 100644 --- a/_docs-sources/pipelines/security/multi-account.md +++ b/_docs-sources/pipelines/security/multi-account.md @@ -1,16 +1,16 @@ # Multiple Infrastructure-Live Repos -We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. +We recommend using a single `infrastructure-live` git repository for managing your organization's infrastructure. Sometimes, this isn't possible due to team structure, security requirements, or other limitations. -You may choose to use multiple repos to: +You may choose to use multiple `infrastructure-live` repos to: 1. Facilitate more granular access controls 1. Separate concerns that do not require shared configuration 1. Ease the burden of high traffic repos (reducing the likelihood of feature branches becoming out-of-date relative to `main`) -However, when using multiple repos it is more difficult to share configuration across environments so think carefully about -your specific use case before making the decision. -In order to accommodate multiple infrastructure repositories, Gruntwork Pipelines is configurable. +Note that when using multiple repositories, it is more difficult to share a infrastructure configuration across environments, +so think carefully about your specific use case before making the decision. + ## Create Additional Repos @@ -18,8 +18,8 @@ New `infrastructure-live` repositories can be created using the same process des [Hello World](../hello-world#setting-up-the-repositories) documentation. :::info -Once the repo is created, you'll need to set up machine user access using either the existing machine user and `PIPELINES_DISPATCH` PAT token, -or one created specifically for this purpose. See [Machine Users](../using-pipelines/machine-users) for more information. +Once the repository is created, you'll need to set up machine user access using either the existing machine user and `PIPELINES_DISPATCH` PAT token, +or one created specifically for this purpose. See [Machine Users](machine-users) for more information. ::: No special configuration is required for the new `infrastructure-live` repository, @@ -29,8 +29,8 @@ to the shared `infrastructure-pipelines` repository. ## Enable Additional Repos :::warning -Once a repo is enabled for pipelines, any code pushed to the `main` branch of that repo will be eligible to access your -AWS account using OIDC. Ensure you have the [recommended settings](../using-pipelines) for branch protection configured before adding the new +Once a repository is enabled for pipelines, any code pushed to the `main` branch of that repository will be eligible to access your +AWS account using OIDC. Ensure you have the [recommended settings](branch-protection) for branch protection configured before adding the new repository to the allowlist. ::: diff --git a/docs/pipelines/hello-world/github-enterprise.md b/docs/pipelines/hello-world/github-enterprise.md index 94c0bc7f7..d68a38d7d 100644 --- a/docs/pipelines/hello-world/github-enterprise.md +++ b/docs/pipelines/hello-world/github-enterprise.md @@ -1,6 +1,6 @@ # GitHub Enterprise -Gruntwork Pipelines uses a set of Gruntwork built re-usable Github Actions. Companies using GitHub Enterprise may need to explicitly allow Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. +Gruntwork Pipelines includes a set of re-usable GitHub Actions built by Gruntwork. Companies using GitHub Enterprise may need to explicitly allow GitHub Actions from Gruntwork to run in their GitHub organization. See the "Allow specified actions and reusable workflows" section in [Allowing select actions and reusable workflows to run](https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run) to learn more. You will need to allow the following Actions to run: - [pipelines-dispatch](https://github.com/gruntwork-io/pipelines-dispatch) @@ -13,6 +13,6 @@ Navigate to each repository to retrieve the latest tagged release for each actio diff --git a/docs/pipelines/hello-world/index.md b/docs/pipelines/hello-world/index.md index dfaa732fd..a6267b57a 100644 --- a/docs/pipelines/hello-world/index.md +++ b/docs/pipelines/hello-world/index.md @@ -55,7 +55,7 @@ For a simple proof of concept, the default repo configuration will suffice. Before using these repositories in a production environment, we recommend setting up a [branch protection rule](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) for your `main` branch. At a minimum, we recommend enabling requiring a pull request before merging with at least one reviewer required. -See [Using Pipelines](/pipelines/using-pipelines#recommended-settings) for recommended settings. +See [Using Pipelines](../security/branch-protection#recommended-settings) for recommended settings. ::: ### Setting up secrets @@ -200,6 +200,6 @@ If you are not going to continue using Pipelines after this tutorial, clean up t diff --git a/docs/pipelines/security/using-pipelines.md b/docs/pipelines/security/branch-protection.md similarity index 97% rename from docs/pipelines/security/using-pipelines.md rename to docs/pipelines/security/branch-protection.md index 827e3619a..ccc9bda54 100644 --- a/docs/pipelines/security/using-pipelines.md +++ b/docs/pipelines/security/branch-protection.md @@ -1,4 +1,4 @@ -# Using Pipelines in Production +# Branch Protection Gruntwork Pipelines is designed to be used with a PR based workflow. This means an approval on a PR is an approval to deploy infrastructure, making the configuration of repo settings and branch protection especially important. @@ -48,6 +48,6 @@ The following is an example of the recommended settings for branch protection: diff --git a/docs/pipelines/security/controls.md b/docs/pipelines/security/controls.md index 5a6fda4b5..f8eb4ab5b 100644 --- a/docs/pipelines/security/controls.md +++ b/docs/pipelines/security/controls.md @@ -4,7 +4,7 @@ Pipelines takes a defense in depth approach to securing workflows. This document ## Dual-repository approach -Pipelines dual-repository approach separates infrastructure definitions from infrastructure deployment mechanisms. Pipelines requires two repositories —`infrastructure-pipelines`, where deployment workflows are defined and `infrastructure-live`, where infrastructure is defined as code. Each repository should have branch protection rules to prevent un-reviewed code from being deployed. Refer to [Recommended Settings](../using-pipelines#recommended-settings) in [using pipelines](../using-pipelines) to learn more. +Pipelines dual-repository approach separates infrastructure definitions from infrastructure deployment mechanisms. Pipelines requires two repositories —`infrastructure-pipelines`, where deployment workflows are defined and `infrastructure-live`, where infrastructure is defined as code. Each repository should have branch protection rules to prevent un-reviewed code from being deployed. Refer to [Recommended Settings](branch-protection#recommended-settings) in [Branch Protection](branch-protection) to learn more. To control access to these repositories we recommend creating GitHub teams. Write access to the `infrastructure-pipelines` repository should be limited to individuals that already have administrative access to your AWS accounts (see [accessing AWS resources](#accessing-aws-resources)). Read and write access to the `infrastructure-live` repository should be granted to any individual who needs to define infrastructure as code. See [repository access](repository-access.md) for more details. @@ -75,6 +75,6 @@ As highlighted in [dual-repository approach](#dual-repository-approach), because diff --git a/docs/pipelines/security/multi-account.md b/docs/pipelines/security/multi-account.md index 4fa4ee388..bac44c8e3 100644 --- a/docs/pipelines/security/multi-account.md +++ b/docs/pipelines/security/multi-account.md @@ -1,16 +1,16 @@ # Multiple Infrastructure-Live Repos -We recommend using a single `infrastructure-live` repository for managing your organization's infrastructure. +We recommend using a single `infrastructure-live` git repository for managing your organization's infrastructure. Sometimes, this isn't possible due to team structure, security requirements, or other limitations. -You may choose to use multiple repos to: +You may choose to use multiple `infrastructure-live` repos to: 1. Facilitate more granular access controls 1. Separate concerns that do not require shared configuration 1. Ease the burden of high traffic repos (reducing the likelihood of feature branches becoming out-of-date relative to `main`) -However, when using multiple repos it is more difficult to share configuration across environments so think carefully about -your specific use case before making the decision. -In order to accommodate multiple infrastructure repositories, Gruntwork Pipelines is configurable. +Note that when using multiple repositories, it is more difficult to share a infrastructure configuration across environments, +so think carefully about your specific use case before making the decision. + ## Create Additional Repos @@ -18,8 +18,8 @@ New `infrastructure-live` repositories can be created using the same process des [Hello World](../hello-world#setting-up-the-repositories) documentation. :::info -Once the repo is created, you'll need to set up machine user access using either the existing machine user and `PIPELINES_DISPATCH` PAT token, -or one created specifically for this purpose. See [Machine Users](../using-pipelines/machine-users) for more information. +Once the repository is created, you'll need to set up machine user access using either the existing machine user and `PIPELINES_DISPATCH` PAT token, +or one created specifically for this purpose. See [Machine Users](machine-users) for more information. ::: No special configuration is required for the new `infrastructure-live` repository, @@ -29,8 +29,8 @@ to the shared `infrastructure-pipelines` repository. ## Enable Additional Repos :::warning -Once a repo is enabled for pipelines, any code pushed to the `main` branch of that repo will be eligible to access your -AWS account using OIDC. Ensure you have the [recommended settings](../using-pipelines) for branch protection configured before adding the new +Once a repository is enabled for pipelines, any code pushed to the `main` branch of that repository will be eligible to access your +AWS account using OIDC. Ensure you have the [recommended settings](branch-protection) for branch protection configured before adding the new repository to the allowlist. ::: @@ -57,6 +57,6 @@ The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` reposi diff --git a/sidebars/pipelines.js b/sidebars/pipelines.js index caf089f80..51380116f 100644 --- a/sidebars/pipelines.js +++ b/sidebars/pipelines.js @@ -69,9 +69,9 @@ const sidebar = [ id: "pipelines/security/repository-access", }, { - label: "Using Pipelines in Production", + label: "Branch Protection", type: "doc", - id: "pipelines/security/using-pipelines", + id: "pipelines/security/branch-protection", }, { label: "Multiple Infrastructure-Live Repos", From 6a886b3bc32ad58448e9e55f4e473837bb3b6709 Mon Sep 17 00:00:00 2001 From: Andrew Ellison Date: Fri, 29 Sep 2023 08:28:36 -0500 Subject: [PATCH 7/7] fix yml file example --- _docs-sources/pipelines/security/multi-account.md | 4 ++-- docs/pipelines/security/multi-account.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/_docs-sources/pipelines/security/multi-account.md b/_docs-sources/pipelines/security/multi-account.md index 88eb3a856..5d67b31ca 100644 --- a/_docs-sources/pipelines/security/multi-account.md +++ b/_docs-sources/pipelines/security/multi-account.md @@ -42,9 +42,9 @@ add the repository to the `repo-allow-list` section of `.gruntwork/config.yml`. The new resource should match the name of your repository **exactly** in the format `github-org/infrastructure-live-repo-name` with a single repository per line. See the example file below: -```txt title=infrastructure-pipelines/.gruntwork/config.yml +```yml title=infrastructure-pipelines/.gruntwork/config.yml # The git repos that have permissions to invoke Pipelines jobs -- repo-allowlist: +repo-allow-list: - acme/team-1-infrastructure-live - acme/team-2-infrastructure-live ``` diff --git a/docs/pipelines/security/multi-account.md b/docs/pipelines/security/multi-account.md index bac44c8e3..7754b015e 100644 --- a/docs/pipelines/security/multi-account.md +++ b/docs/pipelines/security/multi-account.md @@ -42,9 +42,9 @@ add the repository to the `repo-allow-list` section of `.gruntwork/config.yml`. The new resource should match the name of your repository **exactly** in the format `github-org/infrastructure-live-repo-name` with a single repository per line. See the example file below: -```txt title=infrastructure-pipelines/.gruntwork/config.yml +```yml title=infrastructure-pipelines/.gruntwork/config.yml # The git repos that have permissions to invoke Pipelines jobs -- repo-allowlist: +repo-allow-list: - acme/team-1-infrastructure-live - acme/team-2-infrastructure-live ``` @@ -57,6 +57,6 @@ The `INFRA_LIVE_ACCESS_TOKEN` available to the `infrastructure-pipelines` reposi