Add new OIDC role for source mirror updates#1343
Conversation
kwryankrattiger
force-pushed
the
gh_source_mirror_oidc
branch
from
1c27d4a to
cc8ded6
Compare
Ubuntu 22 has v1.12.1 available. This seems to work okay with the configs we have currently so it is probably okay to allow.
| } | ||
|
|
||
| condition { | ||
| test = "StringEqual" |
There was a problem hiding this comment.
| test = "StringEqual" | |
| test = "StringEquals" |
| statement { | ||
| effect = "Allow" | ||
| actions = ["s3:PutObject", "s3:ListBucket"] | ||
| resources = ["${data.aws_s3_bucket.source_mirror}/*"] |
There was a problem hiding this comment.
Does this work with terraform plan? I think it needs to be
| resources = ["${data.aws_s3_bucket.source_mirror}/*"] | |
| resources = ["${data.aws_s3_bucket.source_mirror.arn}/*"] |
Docs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket#arn-1
| data "aws_iam_policy_document" "update_source_mirror" { | ||
| statement { | ||
| effect = "Allow" | ||
| actions = ["s3:PutObject", "s3:ListBucket"] |
There was a problem hiding this comment.
ListBucket is a bucket-level action, so it needs to be applied to a bucket resources. i.e. resources = [data.aws_s3_bucket.source_mirror], not resources = ["${data.aws_s3_bucket.source_mirror}/*"]
| variable "deployment_name" { | ||
| type = string | ||
| } | ||
|
|
||
| variable "deployment_stage" { | ||
| type = string | ||
| } | ||
|
|
||
| variable "region" { | ||
| type = string | ||
| } |
There was a problem hiding this comment.
This file isn't needed (see comment about module)
| variable "deployment_name" { | |
| type = string | |
| } | |
| variable "deployment_stage" { | |
| type = string | |
| } | |
| variable "region" { | |
| type = string | |
| } |
|
|
||
| module "spack_github" { | ||
| source = "../modules/spack_github" | ||
|
|
||
| deployment_name = "prod" | ||
| deployment_stage = "blue" | ||
|
|
||
| region = "us-east-1" | ||
| } |
There was a problem hiding this comment.
This module block isn't needed if we move the new resources into the production module directly (see comment below)
| module "spack_github" { | |
| source = "../modules/spack_github" | |
| deployment_name = "prod" | |
| deployment_stage = "blue" | |
| region = "us-east-1" | |
| } |
| @@ -0,0 +1,57 @@ | |||
| locals { | |||
There was a problem hiding this comment.
This file doesn't need to be its own module - it's not using any of the variables it takes as input, and isn't reused anywhere. We can just move this entire file to terraform/production/mirrors_iam.tf, and that eliminates all the unncessary module boilerplate.
Essentially, exactly what we do for this file https://github.com/spack/spack-infrastructure/blob/main/terraform/production/iam.tf
jjnesbitt
force-pushed
the
gh_source_mirror_oidc
branch
from
26f8b37 to
df0c86e
Compare
|
Closed in favor #1344 |
3 participants
Add OIDC role for source mirror sync from GHA.
cc: @alecbcs