From 87601a6c7fbb0a35d180cfa008a39d9be09dc01c Mon Sep 17 00:00:00 2001 From: Jacob Nesbitt Date: Wed, 22 Apr 2026 16:50:38 -0400 Subject: [PATCH 1/2] Rename github_actions resources to github_actions_readonly --- terraform/modules/spack_aws_k8s/eks.tf | 2 +- .../modules/spack_aws_k8s/github_actions_iam.tf | 16 ++++++---------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/terraform/modules/spack_aws_k8s/eks.tf b/terraform/modules/spack_aws_k8s/eks.tf index d8c2b5fd9..f7c9cdf0d 100644 --- a/terraform/modules/spack_aws_k8s/eks.tf +++ b/terraform/modules/spack_aws_k8s/eks.tf @@ -44,7 +44,7 @@ module "eks" { var.deployment_name == "prod" ? { github_actions_drift_detection = { kubernetes_groups = [] - principal_arn = aws_iam_role.github_actions[0].arn + principal_arn = aws_iam_role.github_actions_readonly[0].arn policy_associations = { cluster = { diff --git a/terraform/modules/spack_aws_k8s/github_actions_iam.tf b/terraform/modules/spack_aws_k8s/github_actions_iam.tf index 746649c49..3dd9fa6e2 100644 --- a/terraform/modules/spack_aws_k8s/github_actions_iam.tf +++ b/terraform/modules/spack_aws_k8s/github_actions_iam.tf @@ -1,7 +1,3 @@ -locals { - iam_role_name = "GitHubActionsReadonlyRole" -} - data "tls_certificate" "github_actions" { url = "https://token.actions.githubusercontent.com" } @@ -14,10 +10,10 @@ resource "aws_iam_openid_connect_provider" "github_actions" { thumbprint_list = [data.tls_certificate.github_actions.certificates.0.sha1_fingerprint] } -resource "aws_iam_role" "github_actions" { +resource "aws_iam_role" "github_actions_readonly" { count = var.deployment_name == "prod" ? 1 : 0 - name = local.iam_role_name + name = "GitHubActionsReadonlyRole" description = "Managed by Terraform. IAM Role that a GitHub Actions runner can assume to authenticate with AWS." assume_role_policy = jsonencode({ @@ -50,11 +46,11 @@ resource "aws_iam_role" "github_actions" { } # The `ReadOnlyAccess` managed policy doesn't include secretsmanager, so we explicitly grant it here. -resource "aws_iam_role_policy" "github_actions" { +resource "aws_iam_role_policy" "github_actions_readonly" { count = var.deployment_name == "prod" ? 1 : 0 name = "read-secrets" - role = aws_iam_role.github_actions[0].id + role = aws_iam_role.github_actions_readonly[0].id policy = jsonencode({ "Version" : "2012-10-17", @@ -72,9 +68,9 @@ resource "aws_iam_role_policy" "github_actions" { # This policy grants the GitHub Actions role read-only access to most resources in the AWS account. # There are some exceptions, such as secretsmanager (see inline_policy above) -resource "aws_iam_role_policy_attachment" "github_actions" { +resource "aws_iam_role_policy_attachment" "github_actions_readonly" { count = var.deployment_name == "prod" ? 1 : 0 - role = aws_iam_role.github_actions[0].name + role = aws_iam_role.github_actions_readonly[0].name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } From 7f415235c85b9685fd28b615353dadbe7219b09d Mon Sep 17 00:00:00 2001 From: Jacob Nesbitt Date: Wed, 22 Apr 2026 16:51:04 -0400 Subject: [PATCH 2/2] Allow github actions to put objects to source mirror --- .../spack_aws_k8s/github_actions_iam.tf | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/terraform/modules/spack_aws_k8s/github_actions_iam.tf b/terraform/modules/spack_aws_k8s/github_actions_iam.tf index 3dd9fa6e2..635fa0192 100644 --- a/terraform/modules/spack_aws_k8s/github_actions_iam.tf +++ b/terraform/modules/spack_aws_k8s/github_actions_iam.tf @@ -74,3 +74,60 @@ resource "aws_iam_role_policy_attachment" "github_actions_readonly" { role = aws_iam_role.github_actions_readonly[0].name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } + + +# Allow github actions run from the develop branch of spack/spack to put objects into the source mirror +resource "aws_iam_role" "github_actions_put_to_source_mirror" { + count = var.deployment_name == "prod" ? 1 : 0 + + name = "GitHubLLNLSourceMirror" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "sts:AssumeRoleWithWebIdentity" + Principal = { + Federated = aws_iam_openid_connect_provider.github_actions[0].arn + } + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = "repo:spack/spack:ref:refs/heads/develop" + } + } + } + ] + }) +} + +resource "aws_iam_role_policy" "github_actions_put_to_source_mirror" { + count = var.deployment_name == "prod" ? 1 : 0 + + name = "PutToSpackLLNLSourceMirror" + role = aws_iam_role.github_actions_put_to_source_mirror[0].name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "PutToSpackLLNLSourceMirror" + Effect = "Allow" + Action = "s3:PutObject" + Resource = "arn:aws:s3:::spack-llnl-mirror/_source-cache/*" + }, + { + Sid = "ListSpackLLNLSourceMirror" + Effect = "Allow" + Action = "s3:ListBucket" + Resource = "arn:aws:s3:::spack-llnl-mirror" + Condition = { + StringLike = { + "s3:prefix" = ["_source-cache/*"] + } + } + } + ] + }) +}