CircleCI OIDC (#1729)

* Upgrade AWS Ruby SDK to v3

* Use CircleCI OIDC to auth with AWS

.circleci/config.yml

@@ -1,9 +1,12 @@
+aws_cli_setup: &aws_cli_setup
+  role-arn: $AWS_ROLE_ARN
+
 base_job: &base_job
   executor:
     name: android/android-machine
     resource-class: xlarge
     tag: 2022.08.1
-  working_directory: '~/project'
+  working_directory: "~/project"
   environment:
     TERM: dumb
     ADB_INSTALL_TIMEOUT: 8
@@ -12,6 +15,7 @@ base_job: &base_job
 version: 2.1
 orbs:
   android: circleci/android@2.1.2
+  aws-cli: circleci/aws-cli@3.1
   codecov: codecov/codecov@3.2.4
 jobs:
   build:
@@ -73,7 +77,7 @@ jobs:
             - v5-android-{{ checksum "build.gradle" }}-{{ checksum  "app/build.gradle" }}
             - v5-android-
       - attach_workspace:
-            at: ~/project
+          at: ~/project
       - android/create-avd:
           avd-name: Emulator
           system-image: system-images;android-30;google_apis;x86
@@ -165,6 +169,8 @@ jobs:
       - run:
           name: Install Firebase CLI
           command: curl -sL https://firebase.tools | bash
+      - aws-cli/setup:
+          <<: *aws_cli_setup
       - run:
           name: Deploy Internal to Crashlytics and S3
           command: bundle exec fastlane internal
@@ -198,32 +204,32 @@ jobs:
           command: bundle exec fastlane internal
 
   release:
-   <<: *base_job
-   steps:
-     - checkout
-     - restore_cache:
-         keys:
-           - v5-android-{{ checksum "build.gradle" }}-{{ checksum  "app/build.gradle" }}
-           - v5-android-
-     - restore_cache:
-         keys:
-           - v1-bundler-{{ checksum "Gemfile.lock" }}
-           - v1-bundler-
-     - run:
-         name: Bundle install
-         command: bundle check || bundle install --path vendor/bundle
-     - save_cache:
-         key: v1-bundler-{{ checksum "Gemfile.lock" }}
-         paths:
-           - ./vendor/bundle
-     - attach_workspace:
-         at: ~/project
-     - run:
-         name: Install Firebase CLI
-         command: curl -sL https://firebase.tools | bash
-     - run:
-         name: Deploy Internal to Crashlytics and S3
-         command: bundle exec fastlane external
+    <<: *base_job
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+            - v5-android-{{ checksum "build.gradle" }}-{{ checksum  "app/build.gradle" }}
+            - v5-android-
+      - restore_cache:
+          keys:
+            - v1-bundler-{{ checksum "Gemfile.lock" }}
+            - v1-bundler-
+      - run:
+          name: Bundle install
+          command: bundle check || bundle install --path vendor/bundle
+      - save_cache:
+          key: v1-bundler-{{ checksum "Gemfile.lock" }}
+          paths:
+            - ./vendor/bundle
+      - attach_workspace:
+          at: ~/project
+      - run:
+          name: Install Firebase CLI
+          command: curl -sL https://firebase.tools | bash
+      - run:
+          name: Deploy Internal to Crashlytics and S3
+          command: bundle exec fastlane external
 
 workflows:
   version: 2.1
@@ -258,6 +264,7 @@ workflows:
             branches:
               only: /regression-.*/
       - internal:
+          context: aws
           requires:
             - build
             - test

Gemfile

@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 
 gem 'activesupport'
-gem 'aws-sdk', '~> 3.0'
+gem 'aws-sdk-s3', '~> 1.0'
 gem 'configs'
 gem 'commander'
 gem 'excon'

config/s3.yml.example

@@ -1,3 +0,0 @@
-default:
-  access_key: ''
-  secret_key: ''

fastlane/Fastfile

@@ -23,7 +23,7 @@ lane :alpha do
 
   slack(
     slack_url: Milkrun::SlackWebhookExtractor.new.webhook,
-    message: slack_message
+    pretext: slack_message
   )
 end
 
@@ -52,7 +52,7 @@ lane :external do
 
   slack(
     slack_url: Milkrun::SlackWebhookExtractor.new.webhook,
-    message: slack_message
+    pretext: slack_message
   )
 end
 

fastlane/Pluginfile

@@ -2,5 +2,4 @@
 #
 # Ensure this file is checked in to source control!
 
-gem 'fastlane-plugin-aws_s3'
 gem 'fastlane-plugin-firebase_app_distribution'

lib/milkrun.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 
 require 'active_support/core_ext/string/inflections'
-require 'aws-sdk'
+require 'aws-sdk-s3'
 require 'configs'
 require 'logger'
 require 'pathname'
@@ -70,10 +70,6 @@ module Milkrun
   end
 
   def self.s3_client
-    @s3_client ||= Aws::S3::Client.new({
-       access_key_id:     ENV['AWS_ACCESS_KEY_ID']     || Configs[:s3][:access_key],
-       secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'] || Configs[:s3][:secret_key],
-       region:            ENV['AWS_REGION']            || 'us-east-1'
-     })
+    @s3_client ||= Aws::S3::Client.new
   end
 end

lib/milkrun/s3_package.rb

@@ -12,10 +12,10 @@ module Milkrun
 
       File.open(file_path, 'rb') do |file|
         Milkrun.s3_client.put_object(
-          body: file,
-          bucket: Milkrun.bucket,
+          bucket:       Milkrun.bucket,
+          key:          package_key,
+          body:         file,
           content_type: "application/vnd.android.package-archive",
-          key: package_key
         )
       end
 

ops/cfn/0-ci.yml

@@ -1,44 +0,0 @@
----
-AWSTemplateFormatVersion: '2010-09-09'
-Description: Creates IAM policies + IAM user with permissions for CI
-
-Parameters:
-  Environment:
-    Description: Environment
-    Type: String
-    Default: base
-  Service:
-    Description: Service
-    Type: String
-    Default: ksr-android
-
-Resources:
-  CircleCIUser:
-    Type: 'AWS::IAM::User'
-    Properties:
-      Path: /
-      Policies: []
- 
-  S3Policy:
-   Type: "AWS::IAM::Policy"
-   Properties:
-     Users:
-       - !Ref CircleCIUser
-     PolicyName: "S3Permissions"
-     PolicyDocument:
-       Version: "2012-10-17"
-       Statement:
-         -
-           Effect: "Allow"
-           Action:
-             - "s3:GetObject"
-             - "s3:PutObject"
-             - "s3:PutObjectAcl"
-           Resource:
-             - "arn:aws:s3:::android-ksr-builds"
-             - "arn:aws:s3:::android-ksr-builds/*"
-
-Outputs:
-  CircleCIUser:
-    Description: IAM User whose keys we drop into CircleCI
-    Value: !Ref CircleCIUser