NRL-1595 Experimenting with cert envs needed to deploy account changes

anjalitrace2-nhs · anjalitrace2-nhs · commit f7b3cb2bd3d1 · 2025-11-26T16:09:28.000Z
diff --git a/.github/workflows/deploy-account-wide-infra.yml b/.github/workflows/deploy-account-wide-infra.yml
@@ -62,7 +62,7 @@ jobs:
         env:
           ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }}
         run: |
-          make truststore-pull-all-for-account ACCOUNT=${ACCOUNT_NAME}
+          make truststore-pull-server-for-account ACCOUNT=${ACCOUNT_NAME}
 
       - name: Terraform Init
         env:
@@ -124,7 +124,7 @@ jobs:
         env:
           ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }}
         run: |
-          make truststore-pull-all-for-account ACCOUNT=${ACCOUNT_NAME}
+          make truststore-pull-server-for-account ACCOUNT=${ACCOUNT_NAME}
 
       - name: Terraform Init
         env:
diff --git a/Makefile b/Makefile
@@ -202,8 +202,8 @@ truststore-build-ca: check-warn ## Build a CA (Certificate Authority)
 truststore-build-cert: check-warn ## Build a certificate
 	@./scripts/truststore.sh build-cert "$(CA_NAME)" "$(CERT_NAME)" "$(CERT_SUBJECT)"
 
-truststore-pull-all-for-account: check-warn ## Pull all certificates for each environment in a given account
-	@./scripts/truststore.sh pull-all-for-account "$(ACCOUNT)"
+truststore-pull-server-for-account: check-warn ## Pull all certificates for each environment in a given account
+	@./scripts/truststore.sh pull-server-for-account "$(ACCOUNT)"
 
 truststore-pull-all: check-warn ## Pull all certificates
 	@./scripts/truststore.sh pull-all "$(ENV)"
diff --git a/scripts/truststore.sh b/scripts/truststore.sh
@@ -25,6 +25,7 @@ function _truststore_help() {
     echo "  pull-ca-key <ca>                - Pull the certificate authority private key"
     echo "  pull-client <env>               - pull the files needed for a client connection"
     echo "  pull-server <env>               - pull the files needed for a server connection"
+    echo "  pull-all-for-account <acc>      - pull all the truststore files for all environments in a given account"
     echo "  pull-all <env>                  - pull all the truststore files for an environment"
     echo "  push-all <env>                  - push all the truststore files for an environment"
     echo "  rotate-ca <env>                 - rotate the certificate authority, archiving the previous one"
@@ -321,10 +322,14 @@ function _truststore_pull_all_for_account() {
     echo "Pulling certs for environments ${envs_array[@]} in ${account} account"
 
     for env in ${envs_array[@]}; do
-        echo "⏳ Pulling ${env} truststore certs"
-        _truststore_pull_ca $env
-        _truststore_pull_client $env
-        _truststore_pull_server $env
+        # don't need to pull dev-sandbox etc certs
+        if [[ $env == *"-sandbox" ]];
+        then
+            echo "⏳ Pulling ${env} truststore certs"
+            _truststore_pull_ca $env
+            _truststore_pull_client $env
+            _truststore_pull_server $env
+        fi
     done
 
     echo -e "✅ Successfully pulled all ${account} truststore files from s3://${BUCKET}"
