Skip to content

Commit

Permalink
Revert "Limit write access to specific prefix"
Browse files Browse the repository at this point in the history
See write up here:
#355 (comment).
We decided not to pursue this for the time being and revisit at a later
point.

This reverts commit 2f7aefc.
  • Loading branch information
Mark-Simulacrum committed Mar 9, 2024
1 parent bbb7578 commit 10c525e
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 51 deletions.
36 changes: 8 additions & 28 deletions terraform/rustc-ci/impl/artifacts.tf
Original file line number Diff line number Diff line change
Expand Up @@ -150,12 +150,8 @@ resource "aws_s3_bucket_inventory" "artifacts" {
}
}

data "aws_iam_openid_connect_provider" "gha" {
url = "https://token.actions.githubusercontent.com"
}

resource "aws_iam_role" "oidc" {
name = "${var.iam_prefix}--role"
resource "aws_iam_role" "try_builds" {
name = "${var.iam_prefix}--try-role"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Expand All @@ -164,29 +160,11 @@ resource "aws_iam_role" "oidc" {
Effect = "Allow"
Action = "sts:AssumeRoleWithWebIdentity"
Principal = {
Federated = "cognito-identity.amazonaws.com"
}
Condition = {
StringEquals = {
"cognito-identity.amazonaws.com:aud" = "${aws_cognito_identity_pool.main.id}"
// This forces the caller to set the session name according to the caller's run & sha
"sts:RoleSessionName" = "$${aws:RequestTag/run_id}@$${aws:RequestTag/sha}"
"aws:RequestTag/repository" = "${var.source_repo}"
// For now only allow new bors & try builds
"aws:RequestTag/ref" = "refs/heads/automation/bors/try"
"aws:RequestTag/event_name" = "push"
}
}
},
{
Effect = "Allow"
Action = "sts:TagSession"
Principal = {
Federated = "cognito-identity.amazonaws.com"
Federated = "arn:aws:iam::890664054962:oidc-provider/token.actions.githubusercontent.com"
}
Condition = {
StringEquals = {
"cognito-identity.amazonaws.com:aud" = "${aws_cognito_identity_pool.main.id}"
"token.actions.githubusercontent.com:sub" = "repo:${var.repo}:ref:refs/heads/automation/bors/try"
}
}
}
Expand All @@ -202,8 +180,10 @@ resource "aws_iam_role" "oidc" {
Sid = "ArtifactsBucketWrite"
Effect = "Allow"
Resource = [
"${aws_s3_bucket.artifacts.arn}/rustc-builds/$${aws:PrincipalTag/sha}/*",
"${aws_s3_bucket.artifacts.arn}/rustc-builds-alt/$${aws:PrincipalTag/sha}/*",
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try",
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try/*",
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt",
"${aws_s3_bucket.artifacts.arn}/rustc-builds-try-alt/*",
]
Action = [
"s3:GetObject",
Expand Down
23 changes: 0 additions & 23 deletions terraform/rustc-ci/impl/cognito.tf

This file was deleted.

0 comments on commit 10c525e

Please sign in to comment.