@@ -62,14 +62,16 @@ variables:
6262 stage : .pre
6363 image : docker:20
6464 services :
65- - docker:20-dind
65+ - docker:20-dind{% if cookiecutter.use_vault == "true" %}
66+ id_tokens :
67+ VAULT_ID_TOKEN :
68+ aud : ${VAULT_ADDR}{% endif %}
6669 script :
6770 - >
6871 docker run --rm
6972 -v ${PWD}:${PWD}
7073 -w ${PWD}
7174 -e CI_ENVIRONMENT_NAME{% if cookiecutter.use_vault == "true" %}
72- -e CI_JOB_JWT_V2
7375 -e ENV_NAME=${CI_ENVIRONMENT_NAME}{% endif %}
7476 -e PROJECT_DIR=${CI_PROJECT_DIR}
7577 -e PROJECT_SLUG
@@ -82,6 +84,7 @@ variables:
8284 -e SENTRY_URL{% if cookiecutter.use_vault == "true" %}
8385 -e SERVICE_SLUG={{ cookiecutter.service_slug }}
8486 -e VAULT_ADDR
87+ -e VAULT_ID_TOKEN
8588 -e VAULT_ROLE{% endif %}
8689 -e VERSION_REF
8790 --entrypoint=""
@@ -152,7 +155,10 @@ pact-verify-test:
152155 stage : Pact-verify
153156 image : docker:20
154157 services :
155- - docker:20-dind
158+ - docker:20-dind{% if cookiecutter.use_vault == "true" %}
159+ id_tokens :
160+ VAULT_ID_TOKEN :
161+ aud : ${VAULT_ADDR}{% endif %}
156162 needs : []
157163 variables :
158164 {{ cookiecutter.service_slug|upper }}_BUILD_TARGET: "test"
@@ -165,7 +171,7 @@ pact-verify-test:
165171 allow_failure : true
166172 before_script : &pact-verify-before-script{% if cookiecutter.use_vault == "true" %}
167173 - >
168- vault_token=$(wget --quiet --post-data="role=pact&jwt=${CI_JOB_JWT_V2 }"
174+ vault_token=$(wget --quiet --post-data="role=pact&jwt=${VAULT_ID_TOKEN }"
169175 "${VAULT_ADDR%/}"/v1/auth/gitlab-jwt/login -O - |
170176 sed -n 's/^.*"client_token":"\([^"]*\)".*$/\1/p')
171177>
@@ -232,19 +238,22 @@ pages:
232238 image :
233239 name : docker:20
234240 services :
235- - docker:20-dind
241+ - docker:20-dind{% if cookiecutter.use_vault == "true" %}
242+ id_tokens :
243+ VAULT_ID_TOKEN :
244+ aud : ${VAULT_ADDR}{% endif %}
236245 script :
237246 - >
238247 docker run --rm
239248 -v ${PWD}:${PWD}
240249 -w ${PWD}{% if cookiecutter.use_vault == "true" %}
241- -e CI_JOB_JWT_V2
242250 -e ENV_SLUG{% else %}
243251 -e PACT_BROKER_BASE_URL
244252 -e PACT_BROKER_PASSWORD
245253 -e PACT_BROKER_USERNAME{% endif %}
246254 -e PROJECT_SLUG{% if cookiecutter.use_vault == "true" %}
247- -e VAULT_ADDR{% endif %}
255+ -e VAULT_ADDR
256+ -e VAULT_ID_TOKEN{% endif %}
248257 --entrypoint=""
249258 pactfoundation/pact-cli:latest-node14 ./scripts/ci_pact.sh ${PACT_CMD}
250259
@@ -332,7 +341,10 @@ build_production:
332341 image :
333342 name : docker:20
334343 services :
335- - docker:20-dind
344+ - docker:20-dind{% if cookiecutter.use_vault == "true" %}
345+ id_tokens :
346+ VAULT_ID_TOKEN :
347+ aud : ${VAULT_ADDR}{% endif %}
336348 variables :
337349 TF_ROOT : ${CI_PROJECT_DIR}/terraform/{{ cookiecutter.deployment_type }}
338350 before_script :
@@ -345,16 +357,14 @@ build_production:
345357 -w ${PWD}{% if cookiecutter.terraform_backend == "gitlab" %}
346358 -e CI_API_V4_URL
347359 -e CI_COMMIT_SHA
348- -e CI_JOB_ID{% if cookiecutter.use_vault == "true" %}
349- -e CI_JOB_JWT_V2{% endif %}
360+ -e CI_JOB_ID
350361 -e CI_JOB_STAGE
351362 -e CI_JOB_TOKEN
352363 -e CI_PROJECT_ID
353364 -e CI_PROJECT_NAME
354365 -e CI_PROJECT_NAMESPACE
355366 -e CI_PROJECT_PATH
356- -e CI_PROJECT_URL{% elif cookiecutter.use_vault == "true" %}
357- -e CI_JOB_JWT_V2{% endif %}
367+ -e CI_PROJECT_URL{% endif %}
358368 -e ENV_SLUG
359369 -e PROJECT_DIR=${CI_PROJECT_DIR}
360370 -e PROJECT_SLUG
@@ -380,6 +390,7 @@ build_production:
380390 -e TF_WORKSPACE="{{ cookiecutter.project_slug }}_backend_environment_${ENV_SLUG}"{% endif %}{% if cookiecutter.terraform_backend == "terraform-cloud" and cookiecutter.use_vault == "false" %}
381391 -e TFC_TOKEN{% endif %}{% if cookiecutter.use_vault == "true" %}
382392 -e VAULT_ADDR
393+ -e VAULT_ID_TOKEN
383394 -e VAULT_ROLE
384395 -e VAULT_SECRETS="digitalocean email k8s s3 {{ cookiecutter.service_slug }}/extra {{ cookiecutter.service_slug }}/sentry"
385396 -e VAULT_SECRETS_PREFIX="envs/${CI_ENVIRONMENT_NAME}"
0 commit comments