From 6af8d424d8b4d415afd9d2bf0ffcc8abf833bb0d Mon Sep 17 00:00:00 2001
From: Renato Rabdishta <renatorabdishta@gmail.com>
Date: Mon, 14 Nov 2022 10:52:54 +0100
Subject: [PATCH 1/7] add workflow_on tag on yml file

---
 .../workflows/cloudfront-cache-invalidation.yml   | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/cloudfront-cache-invalidation.yml b/.github/workflows/cloudfront-cache-invalidation.yml
index bf383c6..36a9370 100644
--- a/.github/workflows/cloudfront-cache-invalidation.yml
+++ b/.github/workflows/cloudfront-cache-invalidation.yml
@@ -1,13 +1,14 @@
 name: Cloudfront cache invalidation
 
 on:
-  inputs:
-    DISTRIBUTION_ID:
-      required: true
-      type: string
-    AWS_REGION:
-      required: true
-      type: string
+  workflow_call:
+    inputs:
+      DISTRIBUTION_ID:
+        required: true
+        type: string
+      AWS_REGION:
+        required: true
+        type: string
 
 jobs:
   cloudfront-cache-invalidation:

From 66cb7fa04a0c57cd2f43123e6a2e3adb8c0a9c44 Mon Sep 17 00:00:00 2001
From: Renato Rabdishta <renatorabdishta@gmail.com>
Date: Mon, 14 Nov 2022 11:37:55 +0100
Subject: [PATCH 2/7] add authentication before aws cache invalidation step

---
 .../workflows/cloudfront-cache-invalidation.yml   | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/cloudfront-cache-invalidation.yml b/.github/workflows/cloudfront-cache-invalidation.yml
index 36a9370..cf81748 100644
--- a/.github/workflows/cloudfront-cache-invalidation.yml
+++ b/.github/workflows/cloudfront-cache-invalidation.yml
@@ -6,6 +6,9 @@ on:
       DISTRIBUTION_ID:
         required: true
         type: string
+      VAULT_AWS_NAME:
+        required: true
+        type: string
       AWS_REGION:
         required: true
         type: string
@@ -14,5 +17,17 @@ jobs:
   cloudfront-cache-invalidation:
     runs-on: ubuntu-latest
     steps:
+      - name: Import Secrets
+        uses: hashicorp/vault-action@v2.4.2
+        with:
+          url: https://vault.crispybacon.it
+          token: ${{ secrets.vault_token }}
+          secrets: |
+            ${{ inputs.VAULT_AWS_NAME }}/creds/github-pipeline-access-role access_key | AWS_ACCESS_KEY_ID ;
+            ${{ inputs.VAULT_AWS_NAME }}/creds/github-pipeline-access-role secret_key | AWS_SECRET_ACCESS_KEY ;
+
+      - name: Wait for IAM credentials to be ready
+        run: sleep 10
+
       - name: cache invalidation on distribution ID ${{ inputs.DISTRIBUTION_ID }}
         run: aws cloudfront create-invalidation --distribution-id ${{ inputs.DISTRIBUTION_ID }} --paths "/*" "/**/*" --region ${{ inputs.AWS_REGION }}

From 4a84f194b2490a659e0ef0743fa1e1d9fcbac5de Mon Sep 17 00:00:00 2001
From: Renato Rabdishta <renatorabdishta@gmail.com>
Date: Mon, 14 Nov 2022 11:42:44 +0100
Subject: [PATCH 3/7] add secret workflow

---
 .github/workflows/cloudfront-cache-invalidation.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/cloudfront-cache-invalidation.yml b/.github/workflows/cloudfront-cache-invalidation.yml
index cf81748..a18e7f6 100644
--- a/.github/workflows/cloudfront-cache-invalidation.yml
+++ b/.github/workflows/cloudfront-cache-invalidation.yml
@@ -2,6 +2,9 @@ name: Cloudfront cache invalidation
 
 on:
   workflow_call:
+    secrets:
+      vault_token:
+        required: true
     inputs:
       DISTRIBUTION_ID:
         required: true

From 31d7decb9d4e034b61fcb92ac84fe7ecbbb554fc Mon Sep 17 00:00:00 2001
From: Renato Rabdishta <renatorabdishta@gmail.com>
Date: Mon, 14 Nov 2022 11:47:28 +0100
Subject: [PATCH 4/7] change required input

---
 .github/workflows/cloudfront-cache-invalidation.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cloudfront-cache-invalidation.yml b/.github/workflows/cloudfront-cache-invalidation.yml
index a18e7f6..0822a92 100644
--- a/.github/workflows/cloudfront-cache-invalidation.yml
+++ b/.github/workflows/cloudfront-cache-invalidation.yml
@@ -10,8 +10,9 @@ on:
         required: true
         type: string
       VAULT_AWS_NAME:
-        required: true
+        required: false
         type: string
+        default: aws_devops_tools
       AWS_REGION:
         required: true
         type: string

From b60caa9d8c052c073965f78efeb47b4c7ef01946 Mon Sep 17 00:00:00 2001
From: Renato Rabdishta <renatorabdishta@gmail.com>
Date: Mon, 14 Nov 2022 11:48:29 +0100
Subject: [PATCH 5/7] remove secret on call

---
 .github/workflows/cloudfront-cache-invalidation.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/cloudfront-cache-invalidation.yml b/.github/workflows/cloudfront-cache-invalidation.yml
index 0822a92..8763427 100644
--- a/.github/workflows/cloudfront-cache-invalidation.yml
+++ b/.github/workflows/cloudfront-cache-invalidation.yml
@@ -2,9 +2,6 @@ name: Cloudfront cache invalidation
 
 on:
   workflow_call:
-    secrets:
-      vault_token:
-        required: true
     inputs:
       DISTRIBUTION_ID:
         required: true

From 11a41814ff5b7ff8aa4466fbdd916f8b02ab5d87 Mon Sep 17 00:00:00 2001
From: Renato Rabdishta <renatorabdishta@gmail.com>
Date: Mon, 14 Nov 2022 11:50:59 +0100
Subject: [PATCH 6/7] add vault secret

---
 .github/workflows/cloudfront-cache-invalidation.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/cloudfront-cache-invalidation.yml b/.github/workflows/cloudfront-cache-invalidation.yml
index 8763427..0822a92 100644
--- a/.github/workflows/cloudfront-cache-invalidation.yml
+++ b/.github/workflows/cloudfront-cache-invalidation.yml
@@ -2,6 +2,9 @@ name: Cloudfront cache invalidation
 
 on:
   workflow_call:
+    secrets:
+      vault_token:
+        required: true
     inputs:
       DISTRIBUTION_ID:
         required: true

From cb2467557c74dd1c7b27344f29975d8d47165431 Mon Sep 17 00:00:00 2001
From: Marco Rossi <marco.rossi@crispybacon.it>
Date: Mon, 21 Nov 2022 13:19:23 +0100
Subject: [PATCH 7/7] test: Testing workdir path

---
 .github/workflows/build-image-on-ecr-with-vault.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/build-image-on-ecr-with-vault.yml b/.github/workflows/build-image-on-ecr-with-vault.yml
index f0ff7b7..a383f35 100644
--- a/.github/workflows/build-image-on-ecr-with-vault.yml
+++ b/.github/workflows/build-image-on-ecr-with-vault.yml
@@ -25,6 +25,9 @@ on:
         required: false
         type: string
         default: .
+      WORKDIR:
+        required: false
+        type: string
     
 jobs:   
   build_docker_image:
@@ -46,6 +49,11 @@ jobs:
     - name: Login ECR registry
       run: aws ecr get-login-password --region ${{ inputs.AWS_REGION }} | docker login --username AWS --password-stdin ${{ inputs.BASE_REGISTRY_PATH }}/${{ inputs.PROJECT_NAME }}
     - name: Build the Docker image
+      if: ${{ inputs.WORKDIR == '' }}
+      run: docker build -t ${{ inputs.BASE_REGISTRY_PATH }}/${{ inputs.PROJECT_NAME }}:${{ github.sha }}-${{ github.ref_name }} ${{ inputs.CUSTOM_DOCKER_OPTIONS }}
+    - name: Build the Docker image in specific workdir
+      if: ${{ inputs.WORKDIR != '' }}
+      working-directory: ./${{ inputs.WORKDIR }}
       run: docker build -t ${{ inputs.BASE_REGISTRY_PATH }}/${{ inputs.PROJECT_NAME }}:${{ github.sha }}-${{ github.ref_name }} ${{ inputs.CUSTOM_DOCKER_OPTIONS }}
     - name: Tag image with additional custom tag
       if: ${{ inputs.CUSTOM_IMAGE_TAG != '' }}