From 14890f524a7a177aeb9440a2c504b723473f2ae3 Mon Sep 17 00:00:00 2001 From: Ryan Krattiger Date: Wed, 22 Apr 2026 13:31:48 -0500 Subject: [PATCH 1/4] Add new OIDC role for source mirror updates --- terraform/modules/spack_github/mirrors_iam.tf | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 terraform/modules/spack_github/mirrors_iam.tf diff --git a/terraform/modules/spack_github/mirrors_iam.tf b/terraform/modules/spack_github/mirrors_iam.tf new file mode 100644 index 000000000..19c59d00f --- /dev/null +++ b/terraform/modules/spack_github/mirrors_iam.tf @@ -0,0 +1,46 @@ +locals { + github_domain = "token.actions.githubusercontent.com" + + mirror_roles = { + "sts.amazonaws.com" = { + "role_name_suffix" = "SpackSourceMirror${var.deployment_name == "prod" ? "" : "-${var.deployment_name}"}-${var.deployment_stage}", + "conditions" = [ + "repo:spack/spack-packages:ref:refs/heads/develop", + ], + }, + } +} + +data "aws_iam_policy_document" "github_oidc_assume_role" { + for_each = local.mirror_roles + + statement { + effect = "Allow" + actions = ["sts:AssumeRoleWithWebIdentity"] + + principals { + type = "Federated" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.github_domain}"] + } + + condition { + test = "StringEquals" + variable = "${local.github_domain}:aud" + values = [each.key] + } + + condition { + test = "StringEqual" + variable = "${local.github_domain}:sub" + values = each.value.conditions + } + } +} + +resource "aws_iam_role" "source_mirror_sync" { + for_each = data.aws_iam_policy_document.github_oidc_assume_role + + name = "SourceMirrorSync${local.mirror_roles[each.key].role_name_suffix}" + assume_role_policy = each.value.json + max_session_duration = 3600 * 1 # only allow a max of 1 hours for a session to be active +} From cc8ded6d67eaa664cbe3f06e629155f6ed439515 Mon Sep 17 00:00:00 2001 From: Ryan Krattiger Date: Wed, 22 Apr 2026 13:35:44 -0500 Subject: [PATCH 2/4] Enable in production only --- terraform/modules/spack_github/mirrors_iam.tf | 2 ++ terraform/modules/spack_github/variables.tf | 11 +++++++++++ terraform/production/main.tf | 9 +++++++++ 3 files changed, 22 insertions(+) create mode 100644 terraform/modules/spack_github/variables.tf diff --git a/terraform/modules/spack_github/mirrors_iam.tf b/terraform/modules/spack_github/mirrors_iam.tf index 19c59d00f..99d7d8185 100644 --- a/terraform/modules/spack_github/mirrors_iam.tf +++ b/terraform/modules/spack_github/mirrors_iam.tf @@ -11,6 +11,8 @@ locals { } } +data "aws_caller_identity" "current" {} + data "aws_iam_policy_document" "github_oidc_assume_role" { for_each = local.mirror_roles diff --git a/terraform/modules/spack_github/variables.tf b/terraform/modules/spack_github/variables.tf new file mode 100644 index 000000000..01d06f88a --- /dev/null +++ b/terraform/modules/spack_github/variables.tf @@ -0,0 +1,11 @@ +variable "deployment_name" { + type = string +} + +variable "deployment_stage" { + type = string +} + +variable "region" { + type = string +} diff --git a/terraform/production/main.tf b/terraform/production/main.tf index a057dd2c1..fd2e30e1d 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -26,3 +26,12 @@ module "spack_gitlab" { gitlab_token = var.gitlab_token } + +module "spack_github" { + source = "../modules/spack_github" + + deployment_name = "prod" + deployment_stage = "blue" + + region = "us-east-1" +} From 4b69f8958d5c14374ceecf9af5550cbfd0dbc3bc Mon Sep 17 00:00:00 2001 From: Ryan Krattiger Date: Wed, 22 Apr 2026 13:59:03 -0500 Subject: [PATCH 3/4] More permissive tf version Ubuntu 22 has v1.12.1 available. This seems to work okay with the configs we have currently so it is probably okay to allow. --- terraform/production/versions.tf | 2 +- terraform/staging/versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/production/versions.tf b/terraform/production/versions.tf index fd43eca08..d6c57d53b 100644 --- a/terraform/production/versions.tf +++ b/terraform/production/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.11.3" + required_version = "~> 1.11" required_providers { aws = { diff --git a/terraform/staging/versions.tf b/terraform/staging/versions.tf index d017269aa..99f64a1ef 100644 --- a/terraform/staging/versions.tf +++ b/terraform/staging/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.11.3" + required_version = "~> 1.11" required_providers { aws = { From df0c86e5890fa51fe315ab2bd283333167ebcecc Mon Sep 17 00:00:00 2001 From: Ryan Krattiger Date: Wed, 22 Apr 2026 14:32:52 -0500 Subject: [PATCH 4/4] Set session time to 6 hours --- terraform/modules/spack_github/mirrors_iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/spack_github/mirrors_iam.tf b/terraform/modules/spack_github/mirrors_iam.tf index 99d7d8185..5ef6f6f38 100644 --- a/terraform/modules/spack_github/mirrors_iam.tf +++ b/terraform/modules/spack_github/mirrors_iam.tf @@ -44,5 +44,5 @@ resource "aws_iam_role" "source_mirror_sync" { name = "SourceMirrorSync${local.mirror_roles[each.key].role_name_suffix}" assume_role_policy = each.value.json - max_session_duration = 3600 * 1 # only allow a max of 1 hours for a session to be active + max_session_duration = 3600 * 6 # only allow a max of 6 hours for a session to be active }