Trying base 64

.github/workflows/ecs_deploy_docker_taskdef.yaml

@@ -73,6 +73,15 @@ jobs:
             echo "taskdef_file_template=${{inputs.taskdef_file_template}}" >> $GITHUB_ENV
           fi
 
+      - name: Determine Account Number Source
+        id: determine_account_number
+        run: |
+          if [[ "${{ inputs.account_number }}" =~ ^secrets\..*$ ]]; then
+            echo "account_number_resolved=${{ secrets[format('{0}', inputs.account_number)] }}" >> $GITHUB_ENV
+          else
+            echo "account_number_resolved=${{ inputs.account_number }}" >> $GITHUB_ENV
+          fi
+
       - name: Create taskdef file dynamically using parameters passed
         run: |
           script_dir="$(dirname ${{ env.taskdef_file_script }})"
@@ -86,14 +95,25 @@ jobs:
           pipenv install && \
           pipenv run python ${{ env.taskdef_file_script }} \
             -pf code/${{ inputs.taskdef_file_vars }} -tt ${{ env.taskdef_file_template }} \
-            -acc $(echo "${{ inputs.account_number }}" | base64 --decode) \
+            -acc ${{ env.account_number_resolved }} \
             -app ${{ inputs.app_name }}
 
+      - name: Get Account Number
+        id: get-account-number
+        run: |
+          script_dir="$(dirname ${{ env.taskdef_file_script }})"
+          if [[ -z "$script_dir" ]]; then
+            echo "Warning: Script name doesn't contain a directory path. Using current directory."
+            script_dir="."
+          fi
+          echo "account_number_read=$script_dir/$(base64 --decode account_number.txt | cut -d'=' -f2)" >> $GITHUB_ENV
+        shell: bash
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-region: ${{ inputs.aws_region }}
-          role-to-assume: arn:aws:iam::$(echo "${{ inputs.account_number }}" | base64 --decode):role/${{ inputs.app_name }}-GithubActionsRole
+          role-to-assume: arn:aws:iam::$(echo "${{ env.account_number_read }}" | base64 --decode):role/${{ inputs.app_name }}-GithubActionsRole
           role-session-name: GithubActionsSession
 
       - name: Login to Amazon ECR

Support/taskdef_template/taskdef_creator.py

@@ -2,6 +2,7 @@
 """
 
 import argparse
+import base64
 import json
 import os
 import re
@@ -118,6 +119,16 @@ def _print_secrets_to_create(self, json_data_str: str):
 
                 print(f"Update SSM for secret: {secret}")
 
+    def _log_account_number_to_file(account_number: str):
+        """
+        Logs account number in base64 encoded format to a file: account_number.txt
+        """
+        current_directory = os.getcwd()
+        file_path = os.path.join(current_directory, "account_number.txt")
+        encoded_string = base64.b64encode(account_number.encode('utf-8'))
+        with open(file_path, 'w') as file_object:
+            file_object.write(encoded_string)
+
     def create_taskdef_file(self, account_number: str):
         """Create a taskdef file based on the app name"""
         directory = os.path.dirname(self.args.taskdef_template)
@@ -164,7 +175,8 @@ def substitute_values(self):
         self._substitute_secret_vars(user_data.get("secret_vars", []))
         [user_data.pop(key) for key in ["env_vars", "secret_vars"] if key in user_data]
         for sub in expected_sub:            
-            self._subtitute_data(user_data, sub)        
+            self._subtitute_data(user_data, sub)
+        self._log_account_number_to_file(user_data["account_number"])    
         return user_data["account_number"]