chore(release): write to new release s3 bucket MONGOSH-2124 (#2421)

This commit adjusts the mongosh release process to dual write to our new
release S3 bucket. Instead of using long-lived static credentials, we have
moved over to an IAM role and are assuming it via Evergreen's ec2.assume_role
and in GitHub Actions via configure-aws-credentials.

Author: drichmdb

.evergreen.yml

@@ -4299,10 +4299,17 @@ functions:
       params:
         file: tmp/expansions.yaml
         redacted: true
+    - command: ec2.assume_role
+      params:
+        role_arn: "arn:aws:iam::119629040606:role/s3-access.cdn-origin-compass"
     - command: shell.exec
       params:
         working_dir: src
         shell: bash
+        env:
+          DOWNLOAD_CENTER_AWS_KEY_NEW: ${AWS_ACCESS_KEY_ID}
+          DOWNLOAD_CENTER_AWS_SECRET_NEW: ${AWS_SECRET_ACCESS_KEY}
+          DOWNLOAD_CENTER_AWS_SESSION_TOKEN_NEW: ${AWS_SESSION_TOKEN}
         script: |
           set -e
           {
@@ -4366,6 +4373,9 @@ functions:
       params:
         file: tmp/expansions.yaml
         redacted: true
+    - command: ec2.assume_role
+      params:
+        role_arn: "arn:aws:iam::119629040606:role/s3-access.cdn-origin-compass"
     - command: shell.exec
       # silent: true
       params:
@@ -4374,6 +4384,9 @@ functions:
         env:
           devtoolsbot_npm_token: ${devtoolsbot_npm_token}
           node_js_version: ${node_js_version}
+          DOWNLOAD_CENTER_AWS_KEY_NEW: ${AWS_ACCESS_KEY_ID}
+          DOWNLOAD_CENTER_AWS_SECRET_NEW: ${AWS_SECRET_ACCESS_KEY}
+          DOWNLOAD_CENTER_AWS_SESSION_TOKEN_NEW: ${AWS_SESSION_TOKEN}
         script: |
           set -e
           export PUPPETEER_SKIP_DOWNLOAD="true"

.github/workflows/update-cta.yml

@@ -19,6 +19,7 @@ on:
         default: CTA-Production
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
@@ -34,16 +35,27 @@ jobs:
       DOWNLOAD_CENTER_AWS_SECRET: ${{ secrets.DOWNLOAD_CENTER_AWS_SECRET }}
     steps:
       - uses: actions/checkout@v4
+      - name: configure aws credentials
+        uses: aws-actions/[email protected]
+        with:
+          role-to-assume: arn:aws:iam::119629040606:role/s3-access.cdn-origin-compass
+          aws-region: us-east-1
+      - name: Sts GetCallerIdentity
+        run: |
+          aws sts get-caller-identity
       - uses: actions/setup-node@v4
         with:
           node-version: ^20.x
           cache: "npm"
-
       - name: Install Dependencies and Compile
         run: |
           npm ci
           npm run compile
 
       - name: Update greeting CTA
+        env:
+          DOWNLOAD_CENTER_AWS_KEY_NEW: "${{ env.AWS_ACCESS_KEY_ID }}"
+          DOWNLOAD_CENTER_AWS_SECRET_NEW: "${{ env.AWS_SECRET_KEY }}"
+          DOWNLOAD_CENTER_AWS_SESSION_TOKEN_NEW: "${{ env.AWS_SESSION_TOKEN }}"
         run: |
           npm run update-cta ${{ github.event.inputs.dry-run && '-- --dry-run' || '' }}

config/build.conf.js

@@ -97,6 +97,9 @@ module.exports = {
   evgAwsSecret: process.env.AWS_SECRET,
   downloadCenterAwsKey: process.env.DOWNLOAD_CENTER_AWS_KEY,
   downloadCenterAwsSecret: process.env.DOWNLOAD_CENTER_AWS_SECRET,
+  downloadCenterAwsKeyNew: process.env.DOWNLOAD_CENTER_AWS_KEY_NEW,
+  downloadCenterAwsSecretNew: process.env.DOWNLOAD_CENTER_AWS_SECRET_NEW,
+  downloadCenterAwsSessionTokenNew: process.env.DOWNLOAD_CENTER_AWS_SESSION_TOKEN_NEW,
   injectedJsonFeedFile: path.join(ROOT, 'config', 'mongosh-versions.json'),
   githubToken: process.env.GITHUB_TOKEN,
   segmentKey: process.env.SEGMENT_API_KEY,

packages/build/src/config/config.ts

@@ -41,6 +41,9 @@ export interface Config {
   evgAwsSecret?: string;
   downloadCenterAwsKey?: string;
   downloadCenterAwsSecret?: string;
+  downloadCenterAwsKeyNew?: string;
+  downloadCenterAwsSecretNew?: string;
+  downloadCenterAwsSessionTokenNew?: string;
   injectedJsonFeedFile?: string;
   githubToken?: string;
   segmentKey?: string;

packages/build/src/download-center/artifacts.ts

@@ -1,7 +1,11 @@
 import { DownloadCenter as DownloadCenterCls } from '@mongodb-js/dl-center';
 import * as fs from 'fs';
 import path from 'path';
-import { ARTIFACTS_BUCKET, ARTIFACTS_FOLDER } from './constants';
+import {
+  ARTIFACTS_BUCKET,
+  ARTIFACTS_BUCKET_NEW,
+  ARTIFACTS_FOLDER,
+} from './constants';
 
 export async function uploadArtifactToDownloadCenter(
   filePath: string,
@@ -20,3 +24,23 @@ export async function uploadArtifactToDownloadCenter(
     fs.createReadStream(filePath)
   );
 }
+
+export async function uploadArtifactToDownloadCenterNew(
+  filePath: string,
+  awsAccessKeyId: string,
+  awsSecretAccessKey: string,
+  awsSessionToken: string,
+  DownloadCenter: typeof DownloadCenterCls = DownloadCenterCls
+): Promise<void> {
+  const dlcenter = new DownloadCenter({
+    bucket: ARTIFACTS_BUCKET_NEW,
+    accessKeyId: awsAccessKeyId,
+    secretAccessKey: awsSecretAccessKey,
+    sessionToken: awsSessionToken,
+  });
+
+  await dlcenter.uploadAsset(
+    `${ARTIFACTS_FOLDER}/${path.basename(filePath)}`,
+    fs.createReadStream(filePath)
+  );
+}

packages/build/src/download-center/config.spec.ts

@@ -40,6 +40,7 @@ const packageInformation = (version: string) =>
 
 const DUMMY_ACCESS_KEY = 'accessKey';
 const DUMMY_SECRET_KEY = 'secretKey';
+const DUMMY_SESSION_TOKEN = 'sessionToken';
 const DUMMY_CTA_CONFIG: CTAConfig = {};
 
 describe('DownloadCenter config', function () {
@@ -273,6 +274,9 @@ describe('DownloadCenter config', function () {
           packageInformation('2.0.1'),
           DUMMY_ACCESS_KEY,
           DUMMY_SECRET_KEY,
+          DUMMY_ACCESS_KEY,
+          DUMMY_SECRET_KEY,
+          DUMMY_SESSION_TOKEN,
           '',
           false,
           DUMMY_CTA_CONFIG,
@@ -290,6 +294,12 @@ describe('DownloadCenter config', function () {
           accessKeyId: DUMMY_ACCESS_KEY,
           secretAccessKey: DUMMY_SECRET_KEY,
         });
+        expect(dlCenter).to.have.been.calledWith({
+          bucket: 'cdn-origin-compass',
+          accessKeyId: DUMMY_ACCESS_KEY,
+          secretAccessKey: DUMMY_SECRET_KEY,
+          sessionToken: DUMMY_SESSION_TOKEN,
+        });
 
         expect(uploadConfig).to.be.calledOnce;
 
@@ -321,7 +331,7 @@ describe('DownloadCenter config', function () {
           tutorial_link: 'test',
         });
 
-        expect(uploadAsset).to.be.calledOnce;
+        expect(uploadAsset).to.be.calledTwice;
         const [assetKey] = uploadAsset.lastCall.args;
         expect(assetKey).to.equal('compass/mongosh.json');
       });
@@ -332,6 +342,9 @@ describe('DownloadCenter config', function () {
           packageInformation('1.2.2'),
           DUMMY_ACCESS_KEY,
           DUMMY_SECRET_KEY,
+          DUMMY_ACCESS_KEY,
+          DUMMY_SECRET_KEY,
+          DUMMY_SESSION_TOKEN,
           '',
           false,
           DUMMY_CTA_CONFIG,
@@ -349,6 +362,12 @@ describe('DownloadCenter config', function () {
           accessKeyId: DUMMY_ACCESS_KEY,
           secretAccessKey: DUMMY_SECRET_KEY,
         });
+        expect(dlCenter).to.have.been.calledWith({
+          bucket: 'cdn-origin-compass',
+          accessKeyId: DUMMY_ACCESS_KEY,
+          secretAccessKey: DUMMY_SECRET_KEY,
+          sessionToken: DUMMY_SESSION_TOKEN,
+        });
 
         expect(uploadConfig).to.be.calledOnce;
 
@@ -377,7 +396,7 @@ describe('DownloadCenter config', function () {
           tutorial_link: 'test',
         });
 
-        expect(uploadAsset).to.be.calledOnce;
+        expect(uploadAsset).to.be.calledTwice;
         const [assetKey, uploadedAsset] = uploadAsset.lastCall.args;
         expect(assetKey).to.equal('compass/mongosh.json');
         const jsonFeedData = JSON.parse(uploadedAsset);
@@ -431,6 +450,9 @@ describe('DownloadCenter config', function () {
           packageInformation('2.0.0'),
           DUMMY_ACCESS_KEY,
           DUMMY_SECRET_KEY,
+          DUMMY_ACCESS_KEY,
+          DUMMY_SECRET_KEY,
+          DUMMY_SESSION_TOKEN,
           path.resolve(
             __dirname,
             '..',
@@ -455,6 +477,12 @@ describe('DownloadCenter config', function () {
           accessKeyId: DUMMY_ACCESS_KEY,
           secretAccessKey: DUMMY_SECRET_KEY,
         });
+        expect(dlCenter).to.have.been.calledWith({
+          bucket: 'cdn-origin-compass',
+          accessKeyId: DUMMY_ACCESS_KEY,
+          secretAccessKey: DUMMY_SECRET_KEY,
+          sessionToken: DUMMY_SESSION_TOKEN,
+        });
 
         expect(uploadConfig).to.be.calledOnce;
 
@@ -486,7 +514,7 @@ describe('DownloadCenter config', function () {
           tutorial_link: 'test',
         });
 
-        expect(uploadAsset).to.be.calledOnce;
+        expect(uploadAsset).to.be.calledTwice;
         const [assetKey, uploadedAsset] = uploadAsset.lastCall.args;
         expect(assetKey).to.equal('compass/mongosh.json');
         const jsonFeedData = JSON.parse(uploadedAsset);
@@ -593,6 +621,9 @@ describe('DownloadCenter config', function () {
           config,
           DUMMY_ACCESS_KEY,
           DUMMY_SECRET_KEY,
+          DUMMY_ACCESS_KEY,
+          DUMMY_SECRET_KEY,
+          DUMMY_SESSION_TOKEN,
           dryRun,
           dlCenter as any
         );
@@ -630,6 +661,9 @@ describe('DownloadCenter config', function () {
         config,
         DUMMY_ACCESS_KEY,
         DUMMY_SECRET_KEY,
+        DUMMY_ACCESS_KEY,
+        DUMMY_SECRET_KEY,
+        DUMMY_SESSION_TOKEN,
         false,
         dlCenter as any
       );
@@ -655,6 +689,9 @@ describe('DownloadCenter config', function () {
         ctas,
         DUMMY_ACCESS_KEY,
         DUMMY_SECRET_KEY,
+        DUMMY_ACCESS_KEY,
+        DUMMY_SECRET_KEY,
+        DUMMY_SESSION_TOKEN,
         false,
         dlCenter as any
       );
@@ -677,6 +714,9 @@ describe('DownloadCenter config', function () {
         config,
         DUMMY_ACCESS_KEY,
         DUMMY_SECRET_KEY,
+        DUMMY_ACCESS_KEY,
+        DUMMY_SECRET_KEY,
+        DUMMY_SESSION_TOKEN,
         false,
         dlCenter as any
       );
@@ -699,6 +739,9 @@ describe('DownloadCenter config', function () {
         config,
         DUMMY_ACCESS_KEY,
         DUMMY_SECRET_KEY,
+        DUMMY_ACCESS_KEY,
+        DUMMY_SECRET_KEY,
+        DUMMY_SESSION_TOKEN,
         false,
         dlCenter as any
       );
@@ -721,6 +764,9 @@ describe('DownloadCenter config', function () {
         config,
         DUMMY_ACCESS_KEY,
         DUMMY_SECRET_KEY,
+        DUMMY_ACCESS_KEY,
+        DUMMY_SECRET_KEY,
+        DUMMY_SESSION_TOKEN,
         false,
         dlCenter as any
       );
@@ -750,6 +796,9 @@ describe('DownloadCenter config', function () {
         config,
         DUMMY_ACCESS_KEY,
         DUMMY_SECRET_KEY,
+        DUMMY_ACCESS_KEY,
+        DUMMY_SECRET_KEY,
+        DUMMY_SESSION_TOKEN,
         false,
         dlCenter as any
       );
@@ -779,6 +828,9 @@ describe('DownloadCenter config', function () {
         config,
         DUMMY_ACCESS_KEY,
         DUMMY_SECRET_KEY,
+        DUMMY_ACCESS_KEY,
+        DUMMY_SECRET_KEY,
+        DUMMY_SESSION_TOKEN,
         false,
         dlCenter as any
       );

packages/build/src/download-center/config.ts

@@ -9,6 +9,7 @@ import type {
 } from '@mongodb-js/dl-center/dist/download-center-config';
 import {
   ARTIFACTS_BUCKET,
+  ARTIFACTS_BUCKET_NEW,
   JSON_FEED_ARTIFACT_KEY,
   ARTIFACTS_URL_PUBLIC_BASE,
   CONFIGURATION_KEY,
@@ -55,6 +56,9 @@ export async function createAndPublishDownloadCenterConfig(
   packageInformation: PackageInformationProvider,
   awsAccessKeyId: string,
   awsSecretAccessKey: string,
+  awsAccessKeyIdNew: string,
+  awsSecretAccessKeyNew: string,
+  awsSessionTokenNew: string,
   injectedJsonFeedFile: string,
   isDryRun: boolean,
   ctaConfig: CTAConfig,
@@ -100,6 +104,13 @@ export async function createAndPublishDownloadCenterConfig(
     secretAccessKey: awsSecretAccessKey,
   });
 
+  const dlcenterArtifactsNew = new DownloadCenter({
+    bucket: ARTIFACTS_BUCKET_NEW,
+    accessKeyId: awsAccessKeyIdNew,
+    secretAccessKey: awsSecretAccessKeyNew,
+    sessionToken: awsSessionTokenNew,
+  });
+
   const existingJsonFeed = await getCurrentJsonFeed(dlcenterArtifacts);
   const injectedJsonFeed: JsonFeed | undefined = injectedJsonFeedFile
     ? JSON.parse(await fs.readFile(injectedJsonFeedFile, 'utf8'))
@@ -135,12 +146,20 @@ export async function createAndPublishDownloadCenterConfig(
       JSON.stringify(newJsonFeed, null, 2)
     ),
   ]);
+
+  await dlcenterArtifactsNew.uploadAsset(
+    JSON_FEED_ARTIFACT_KEY,
+    JSON.stringify(newJsonFeed, null, 2)
+  );
 }
 
 export async function updateJsonFeedCTA(
   config: CTAConfig,
   awsAccessKeyId: string,
   awsSecretAccessKey: string,
+  awsAccessKeyIdNew: string,
+  awsSecretAccessKeyNew: string,
+  awsSessionTokenNew: string,
   isDryRun: boolean,
   DownloadCenter: typeof DownloadCenterCls = DownloadCenterCls
 ) {
@@ -150,6 +169,13 @@ export async function updateJsonFeedCTA(
     secretAccessKey: awsSecretAccessKey,
   });
 
+  const dlcenterArtifactsNew = new DownloadCenter({
+    bucket: ARTIFACTS_BUCKET_NEW,
+    accessKeyId: awsAccessKeyIdNew,
+    secretAccessKey: awsSecretAccessKeyNew,
+    sessionToken: awsSessionTokenNew,
+  });
+
   const jsonFeed = await getCurrentJsonFeed(dlcenterArtifacts);
   if (!jsonFeed) {
     throw new Error('No existing JSON feed found');
@@ -165,6 +191,10 @@ export async function updateJsonFeedCTA(
   }
 
   await dlcenterArtifacts.uploadAsset(JSON_FEED_ARTIFACT_KEY, patchedJsonFeed);
+  await dlcenterArtifactsNew.uploadAsset(
+    JSON_FEED_ARTIFACT_KEY,
+    patchedJsonFeed
+  );
 }
 
 function populateJsonFeedCTAs(jsonFeed: JsonFeed, ctas: CTAConfig) {