Migrating Beiartf Authentication Method from Beiartf-Refresh

This post will explain all steps needed to migrate your beiartf authentication method from using beiartf-refresh to using AWS SDK Authentication method through beiartf profile. This should help in preventing the need for IDEA restarts when SAML authentication token expires.

Modifying Developers' Local Environment

Follow all the steps mentioned in this link to install aws-google-auth. This includes those who are still waiting for SSO access grant.

Modifying The Repository

Look at this git compare of bei-application-template for example, the changes are:

All mention of

credentials(AwsCredentials) {
  accessKey = "$System.env.BEIARTF_ACCESS_KEY_ID"
  secretKey = "$System.env.BEIARTF_SECRET_ACCESS_KEY"
  sessionToken = "$System.env.BEIARTF_SESSION_TOKEN"
}

should be changed to

authentication {
  AwsIm(AwsImAuthentication)
}

2. In gradle.properties, add this line

systemProp.aws.profile=beiartf

3. Copy this assume_role.sh script
4. For build.sh and init_codebuild.sh, modify them so that the uploadAmiBakingManifest task is run in a different gradle process from the rest (because you have to supply a different aws.profile argument). For example, where everything is put in a single gradle run before,

BUILD_COMMAND="./gradlew :${SERVICE_MODULE_NAME}:compileJava :${SERVICE_MODULE_NAME}:uploadAmiBakingManifest -Pversion=$(git rev-parse --short HEAD)"

should be split into two different runs

BUILD_COMMAND="./gradlew :${SERVICE_MODULE_NAME}:distTar"
RELEASE_COMMAND="./gradlew :${SERVICE_MODULE_NAME}:uploadAmiBakingManifest -Pversion=$(git rev-parse --short HEAD) -Daws.profile=\"default\""

You can skip this if this repository is not meant to release services.

Modifying the Codebuild Pipeline

Change the pre_build_commands from

"$(aws-sudo.sh -d 3600 arn:aws:iam::517530806209:role/BeiartfWriter_${local.product_domain} | sed s/AWS_/BEIARTF_/g)",

"./scripts/assume_role.sh -r arn:aws:iam::517530806209:role/BeiartfWriter_${local.product_domain}",

this tvlk-build-terraform-aws PR link is an example. Don’t forget to apply the terraform.

How to Work After Applying These Changes

You should follow Java Code Development Daily Workflow. For those without SSO access and still relying on tvlk-dev access key, you can substitute the value supplied for -p from the saml profile with the profile name for your access key (or drop the -p for those still reliant on AWS access key, like beiartf-refresh). This however is a temporary workaround, you should still request SSO to it-infra since we won’t grant access to the new beiartf for tvlk-dev accounts.

Changes to tv-sql-product and backend-monorepo

For these two repositories, Christianto Handojo will apply the changes related to authentication procedure on May 27, 18.00 UTC+7. The details are:

In both repositories, assume_role.sh script will be copied and Gradle files will be modified as explained before.
The changes for backend-monorepo includes changing Jenkins pipeline for codereview, so all you have to do is monitor your diffs on Phabricator around those times and retrigger build if necessary. If your team use any other pipeline that fetches from backend-monorepo, please modify them yourself.
For tv-sql-product, only the Gradle in the repository will be changed, because there are too many pipelines not owned by BEI. If there are pipelines that is used by you but without clear ownership, please contact Christianto Handojo through Slack.

This post is a copy of https://29022131.atlassian.net/wiki/spaces/BEI/blog/2020/05/27/1381564835/Migrating+Beiartf+Authentication+Method+from+Beiartf-Refresh